Webperf Core Web Vitals
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a benign Core Web Vitals diagnostic skill that runs expected Chrome DevTools page-measurement snippets with temporary page instrumentation.
This skill is reasonable for Core Web Vitals debugging. Before using it, make sure Chrome DevTools is attached to a site you are authorized to inspect, expect temporary visual highlighting and interaction tracking, and avoid running it on sensitive pages if interaction metadata should not be exposed to the agent.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run multiple diagnostic scripts against the page you have open in Chrome DevTools.
The skill asks the agent to execute JavaScript in the active browser page and may chain additional diagnostic snippets based on results. This is disclosed and central to the purpose, but it is still a broad browser-control capability users should notice.
JavaScript snippets for measuring web performance in Chrome DevTools. Execute with `mcp__chrome-devtools__evaluate_script` ... Use this decision tree to automatically run follow-up snippets based on results
Use it only on pages you are allowed to inspect, and keep follow-up runs limited to the provided performance diagnostics.
The page may show temporary outlines or visual markers during analysis.
The LCP snippet temporarily changes page element styling to highlight the measured element. This is purpose-aligned visual debugging, but it is a page mutation.
i.style.outline="3px dashed lime",i.style.outlineOffset="2px"
Expect visual highlighting during audits; reload the page afterward if you want to clear any temporary styling.
If you interact with a private or sensitive page during tracking, the agent may receive timing and element-identifying details about those interactions.
The INP snippet stores interaction timing and target-element metadata in page context and exposes getter functions for later retrieval. This is expected for INP tracking, but it records interaction metadata while active.
const t=[]; ... t.push({name:o.name,duration:o.duration,startTime:o.startTime,interactionId:o.interactionId,target:o.target,...}); ... window.getINP=()=>Run INP tracking only on pages where exposing interaction metadata to the agent is acceptable, and reload or close the page when finished.