Browser
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent browser-reading skill, but users should note that it renders arbitrary web pages with Puppeteer and uses an undeclared external dependency.
This skill appears benign for rendering and reading web pages. Before installing, be aware that it opens arbitrary URLs with Puppeteer using disabled browser sandbox flags, so it is safest to run it in a container or otherwise isolated environment, especially for unknown websites.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Opening untrusted web pages through this skill could expose the local runtime to more risk than a sandboxed browser would.
The skill intentionally renders user-provided URLs in a headless browser, and the browser is launched with sandbox protections disabled. This is aligned with the browser-reading purpose, but it reduces containment if a malicious page exploits the browser.
browser = await puppeteer.launch({ args: ['--no-sandbox', '--disable-setuid-sandbox'] }); ... await page.goto(url, { waitUntil: 'networkidle2' });Use this skill in an isolated environment when browsing untrusted sites, and consider removing the no-sandbox flags if the runtime supports Chromium sandboxing.
Installation may depend on whatever Puppeteer package version is available in the environment, which can affect reliability and supply-chain reviewability.
The skill depends on Puppeteer, but the provided artifacts do not include an install specification, package.json, or lockfile to define the exact package version or installation source.
## Dependencies - `puppeteer`
Prefer a reviewed install spec or pinned package manifest before installing or running the skill in a sensitive environment.