Browser
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Opening untrusted web pages through this skill could expose the local runtime to more risk than a sandboxed browser would.
The skill intentionally renders user-provided URLs in a headless browser, and the browser is launched with sandbox protections disabled. This is aligned with the browser-reading purpose, but it reduces containment if a malicious page exploits the browser.
browser = await puppeteer.launch({ args: ['--no-sandbox', '--disable-setuid-sandbox'] }); ... await page.goto(url, { waitUntil: 'networkidle2' });Use this skill in an isolated environment when browsing untrusted sites, and consider removing the no-sandbox flags if the runtime supports Chromium sandboxing.
Installation may depend on whatever Puppeteer package version is available in the environment, which can affect reliability and supply-chain reviewability.
The skill depends on Puppeteer, but the provided artifacts do not include an install specification, package.json, or lockfile to define the exact package version or installation source.
## Dependencies - `puppeteer`
Prefer a reviewed install spec or pinned package manifest before installing or running the skill in a sensitive environment.