ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Playwright Browser Automation

v1.0.0

Browser automation using Playwright API directly. Navigate websites, interact with elements, extract data, take screenshots, generate PDFs, record videos, an...

0· 45·0 current·0 all-time
by@onlyloveher
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Playwright automation) align with requested binaries (node, npx) and the SKILL.md which instructs installing the official 'playwright' npm package and browser binaries. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md stays within browser automation scope (navigation, locators, network routing, screenshots, PDFs, video, upload/download, storageState). It shows examples of executing arbitrary JS via page.evaluate and using local file paths for uploads/downloads/storageState—these are normal for automation but can be misused to expose data if the agent is scripted to evaluate untrusted code or upload sensitive local files. The SKILL.md also suggests running 'sudo npx playwright install-deps' on Linux, which is expected for system deps but requires elevated privileges during setup.
Install Mechanism
No bundled install spec in the package; the instructions use npm/npx to install the well-known 'playwright' package and its browsers. This is a standard, traceable install path (no arbitrary URL downloads or extract operations).
Credentials
The skill declares no required environment variables or credentials. Examples show using HTTP Basic auth, cookies, and storageState files as part of browser workflows (typical for automation). There are no unexpected secret requests or unrelated environment access.
Persistence & Privilege
always is false and the skill does not request permanent presence or modify other skills. It includes examples referencing an MCP server lifecycle but does not persist beyond ordinary use or demand elevated persistent privileges.
Assessment
This skill appears coherent for Playwright-based browser automation. Before installing, ensure you: 1) are comfortable allowing the agent to run node/npx and to install browser binaries (npx install may request sudo for system deps on Linux); 2) do not pass secrets or sensitive local file paths to automated scripts (page.evaluate runs arbitrary JS in the page context and file upload/download APIs can leak local files if misused); 3) run automation in an isolated environment (container/VM) if you need to reduce risk of accidental data exposure; and 4) if you plan to use the MCP examples, confirm how OpenClaw will manage the MCP server and its network access. Overall the skill is consistent with its purpose, but exercise standard caution when automating interactions with sites that handle sensitive data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b30j7php50cvnfgjhs298ch83qnsg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎭 Clawdis
OSLinux · macOS · Windows
Binsnode, npx

Comments