podman-browser
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it claims—run a Podman-based Playwright browser to fetch rendered webpages—but users should notice that it runs containers, pulls external packages, and returns untrusted web content.
Before installing, confirm you are comfortable letting the agent run Podman containers and make web requests. Avoid passing secret-bearing URLs, treat returned webpage text or HTML as untrusted, and consider stronger dependency pinning or container isolation for sensitive environments.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or compromised webpage could include text that tries to influence the agent after the page is fetched.
The skill intentionally returns webpage content to the agent; webpages can contain prompt-injection text or misleading instructions if the agent later treats the page content as authoritative.
Fetch a JavaScript-rendered page and return its text content. ... `--html` - Return raw HTML instead of text
Treat fetched webpage text or HTML as untrusted content and do not follow instructions found inside page output unless the user explicitly asks.
The skill depends on external registries being available and trustworthy when it runs.
The tool pulls a remote container image and installs a Playwright npm package at runtime. The versions are pinned by tag/version, but the container image is not pinned by digest and there is no lockfile in the artifact set.
const IMAGE = 'mcr.microsoft.com/playwright:v1.50.0-noble'; ... npm install playwright@${PLAYWRIGHT_VERSION}Use this only in environments where pulling from Microsoft Container Registry and npm is acceptable; for stricter environments, pin the image by digest and prebuild or lock dependencies.
Invoking the skill runs local Podman and executes code inside a newly started container.
The CLI starts a Podman process and runs a bash command inside the container. This is expected for the browser-container purpose and is disclosed in the documentation.
const proc = spawn('podman', podmanArgs, { stdio: ['inherit', 'inherit', 'inherit'] });Install and invoke it only if you are comfortable with the agent launching Podman containers for webpage fetching.
If a browser or container escape vulnerability were exploited by a page, the reduced isolation could increase host exposure compared with a fully sandboxed browser container.
The container shares the host IPC namespace and Chromium is launched without its sandbox. This is documented as a Chromium stability choice, but it reduces isolation when browsing untrusted pages.
'--ipc=host', ... args: ['--no-sandbox', '--disable-setuid-sandbox']
Prefer trusted or necessary URLs, keep Podman and the Playwright image updated, and consider removing `--ipc=host` or using stronger container isolation if stability allows.