Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
"author": "OpenClaw", "license": "MIT", "dependencies": { "playwright": "^1.40.0" } }- Confidence
- 88% confidence
- Finding
- "playwright": "^1.40.0"
Earnings Tracker
Security checks across malware telemetry and agentic risk
Overview
The skill mostly does what it says, but it has under-disclosed credential handling and an unnecessary vulnerable dependency that users should review before installing.
Install only if you are comfortable with earnings queries being sent to Tavily and translated content being sent to BigModel/GLM. Use dedicated Tavily and ZAI keys, avoid running it with OPENAI_API_KEY present unless the fallback is removed or approved, and consider removing or upgrading the unused Playwright dependency before installation.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)
Known Vulnerable Dependency: playwright==1.40.0 — 1 advisory(ies): CVE-2025-59288 (Playwright downloads and installs browsers without verifying the authenticity of)
High
- Category
- Supply Chain
- Confidence
- 97% confidence
- Finding
- playwright==1.40.0
VirusTotal
64/64 vendors flagged this skill as clean.