podman-browser
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: podman-browser Version: 1.2.1 The skill is classified as suspicious due to the use of `--ipc=host` and `--no-sandbox` flags when launching Chromium within the Podman container, as seen in `browse.js` and documented in `SKILL.md`. While these configurations might be used for browser stability, they significantly increase the attack surface by allowing container processes to access host IPC resources and reducing browser isolation. Additionally, the `browse.js` script performs `npm install playwright` inside the container on every execution, introducing a dynamic dependency resolution step which carries a minor supply chain risk, even for a legitimate package.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or compromised webpage could include text that tries to influence the agent after the page is fetched.
The skill intentionally returns webpage content to the agent; webpages can contain prompt-injection text or misleading instructions if the agent later treats the page content as authoritative.
Fetch a JavaScript-rendered page and return its text content. ... `--html` - Return raw HTML instead of text
Treat fetched webpage text or HTML as untrusted content and do not follow instructions found inside page output unless the user explicitly asks.
The skill depends on external registries being available and trustworthy when it runs.
The tool pulls a remote container image and installs a Playwright npm package at runtime. The versions are pinned by tag/version, but the container image is not pinned by digest and there is no lockfile in the artifact set.
const IMAGE = 'mcr.microsoft.com/playwright:v1.50.0-noble'; ... npm install playwright@${PLAYWRIGHT_VERSION}Use this only in environments where pulling from Microsoft Container Registry and npm is acceptable; for stricter environments, pin the image by digest and prebuild or lock dependencies.
Invoking the skill runs local Podman and executes code inside a newly started container.
The CLI starts a Podman process and runs a bash command inside the container. This is expected for the browser-container purpose and is disclosed in the documentation.
const proc = spawn('podman', podmanArgs, { stdio: ['inherit', 'inherit', 'inherit'] });Install and invoke it only if you are comfortable with the agent launching Podman containers for webpage fetching.
If a browser or container escape vulnerability were exploited by a page, the reduced isolation could increase host exposure compared with a fully sandboxed browser container.
The container shares the host IPC namespace and Chromium is launched without its sandbox. This is documented as a Chromium stability choice, but it reduces isolation when browsing untrusted pages.
'--ipc=host', ... args: ['--no-sandbox', '--disable-setuid-sandbox']
Prefer trusted or necessary URLs, keep Podman and the Playwright image updated, and consider removing `--ipc=host` or using stronger container isolation if stability allows.