Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Playwright Commander
v1.0.0A skill to interact with web browsers using Playwright for advanced UI automation, analysis, and debugging.
⭐ 0· 11.2k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill description promises many browser actions (execute arbitrary JS, click/type, advanced interactions). The actual CLI (scripts/playwright_cli.py) only implements launching, navigating + screenshot, and getting page content. Examples in SKILL.md (e.g., click_element) are not implemented in the script. Including the Playwright library in the bundle is coherent with the stated purpose, but the mismatch between claimed features and the shippped CLI is an inconsistency that could be accidental or misleading.
Instruction Scope
SKILL.md instructs agents to run the contained CLI (python3 scripts/playwright_cli.py) to browse arbitrary URLs and print or save page content/screenshots. The instructions do not ask to read unrelated local files or extra env vars. However the CLI will fetch arbitrary URLs and print page content to stdout (or JSON), which means sensitive site content could be read and returned by the agent if given internal URLs — this is expected for a browser automation tool but is a data‑exposure vector. Also SKILL.md claims functionality (execute JS, interact with elements) that the script does not implement, granting more implied authority than actually present.
Install Mechanism
There is no external install spec, but the package includes a complete virtualenv and hundreds of Playwright and dependency files (venv/...). Bundling an entire venv inside a skill is heavy and uncommon: it means many compiled modules and third‑party code will be written to disk when the skill is installed. While including Playwright itself is consistent with the skill, the large embedded runtime increases audit surface (compiled C/C++ code, node components, server/agent code under Playwright driver) and should be reviewed carefully because it could contain logic beyond the CLI script.
Credentials
The skill declares no required env vars or credentials, which matches the script. Playwright usage can cause network access to arbitrary URLs and will write files (screenshots) to paths supplied by the caller — the CLI accepts arbitrary file paths, so it could overwrite files if misused. No direct requests for unrelated credentials are present, but because the tool can visit arbitrary URLs it could be used to fetch sensitive internal pages; avoid granting it access to internal networks or secrets when not necessary.
Persistence & Privilege
The skill does not request always:true and leaves model invocation enabled (normal). It does not declare modifications to other skills or system config. There is no evidence it attempts to persist beyond its own files. Still, the bundled venv means many files get installed with the skill, but that's not the same as elevated runtime privileges.
Scan Findings in Context
[system-prompt-override] unexpected: The static scan flagged a system-prompt-override pattern in SKILL.md. The visible SKILL.md supplied in the manifest does not obviously contain a prompt override, but the scanner's flag must be taken seriously: it could indicate hidden or obfuscated content in the full SKILL.md or other included files. This is not expected for a Playwright automation skill.
[base64-block] unexpected: A base64-block pattern was detected in the skill bundle. Playwright automation normally does not require embedded base64 blobs in SKILL.md; base64 content can be used to hide payloads. Review any base64 content before installing.
[unicode-control-chars] unexpected: Unicode control characters were detected. These are sometimes used to obfuscate or inject content in prompts or documentation. The presence of these characters in SKILL.md or other files is unexpected and should be examined.
What to consider before installing
What to consider before installing:
- Feature mismatch: SKILL.md promises clicking, typing, and executing custom JS, but the bundled CLI script only supports launch, navigate+screenshot, and get_content. Ask the publisher for an updated SKILL.md or a CLI that implements the missing commands. Do not assume missing capabilities exist.
- Large bundled venv: This skill includes a complete virtualenv with compiled modules and Playwright drivers. That increases the amount of third‑party code you are installing. Prefer skills that depend on official packages (installed at deploy time) or provide a clear provenance for bundled binaries.
- Prompt‑injection flags: The static scanner found patterns (system prompt override, base64, unicode control chars). Even if the visible SKILL.md looks fine, review the raw SKILL.md and any other included text for hidden/obfuscated instructions before running.
- Data exposure risks: The CLI will visit arbitrary URLs and print page content or save screenshots. Do not let the skill access internal sites, admin consoles, or pages behind authentication unless you explicitly trust and isolate the environment. Be cautious about paths passed to --path because the skill will write files to disk and could overwrite data.
- Run safely first: If you still want to test it, run the CLI in a tightly sandboxed environment (isolated container, no access to internal networks, minimal filesystem permissions), inspect logs and all scripts (especially anything that could start a server), and verify which files the skill writes. Prefer installing from a trusted source or rebuilding a minimal runtime from known package sources (pip install playwright) rather than using an opaque bundled venv.
- Ask the owner for: source repository, developer contact, an implemented feature list matching the SKILL.md, and an explanation for the bundled virtualenv and any base64/obfuscated content. If they cannot provide reasonable answers, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk9729sev7apz207g4hva2g6n3s822wtf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.