Deep Scraper
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: deep-scraper Version: 1.0.1 The skill bundle is classified as benign. It implements a web scraper using Docker, Crawlee, and Playwright, which aligns with its stated purpose of 'deep web scraping' and 'penetrating protections' on complex websites. While it utilizes Docker and runs Playwright with `--no-sandbox` (a common requirement for Playwright in Docker that reduces in-container security), these capabilities are plausibly needed for its function. The code in `assets/main_handler.js` and `assets/youtube_handler.js` focuses on scraping public web content, outputs results to stdout, clears cookies to prevent session leakage, and does not exhibit any signs of data exfiltration, malicious execution, persistence, prompt injection against the agent, or obfuscation. The `SKILL.md` explicitly forbids scraping password-protected or non-public personal information, indicating a consideration for privacy.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If pointed at the wrong page, the skill could collect and return content from that page.
The handler accepts an arbitrary target URL, loads it in a browser, and returns page text. This is expected for a scraper, but users should notice the broad target scope.
const targetUrl = process.argv[2]; ... await page.goto(targetUrl, { waitUntil: 'networkidle' }); ... data: content.substring(0, 10000)Use it only with approved public URLs and require explicit confirmation before scraping private, internal, or sensitive pages.
A user may need to supply or locate unreviewed Docker build instructions before the skill works.
The skill asks users to build a Docker image, but the provided manifest does not include a Dockerfile and the registry has no install spec. This is a setup/provenance gap, although the step is disclosed and user-directed.
Build command: `docker build -t clawd-crawlee skills/deep-scraper/` ... Ensure the Dockerfile remains within the skill directory
Inspect the Dockerfile/build context before building the image, and prefer a complete, reviewed package with install requirements declared in metadata.
The installed scraping runtime may vary over time depending on package resolution.
The npm dependencies use version ranges and no lockfile is present in the provided manifest, so future installs may resolve different package versions.
"dependencies": { "crawlee": "^3.0.0", "playwright": "^1.40.0" }Use a lockfile or pinned dependency versions when building the container for repeatable installs.