Webpage Screenshot
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: webpage-screenshot Version: 1.0.0 The `SKILL.md` file instructs the AI agent to execute a shell command (`npm run screenshot`) with user-provided arguments (`<URL>`, `[输出路径]`). This pattern introduces a significant shell injection vulnerability if the OpenClaw agent does not rigorously sanitize user inputs before executing the command. While the skill's stated purpose (webpage screenshot) is benign, the direct command execution with unsanitized user input poses a critical risk for arbitrary command execution on the host system, classifying it as suspicious due to this vulnerability.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the command may execute whatever screenshot script exists in the current project and may create or overwrite a screenshot file.
The skill's recommended screenshot method relies on executing a local npm script. This is aligned with the screenshot purpose, but users should confirm what the local script does before running it.
npm run screenshot -- <URL> [输出路径]
Before using this method, inspect the project's package script and choose an output path that will not overwrite important files.
The user may need to install npm dependencies and a Chromium browser package before screenshots work.
The skill documents package installation and a browser download as prerequisites, while the provided package is instruction-only. This is common for Playwright-based screenshots, but the installed dependencies are outside the reviewed artifact content.
前置条件:已执行 `npm install` 且已安装浏览器:`npx playwright install chromium`。
Only run installation commands in a trusted project environment and review the package source before installing dependencies.