Playwright Scraper
Scrapes websites using Playwright with stealth mode to bypass bot detection, supporting dynamic JS content and customizable viewport and User-Agent.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 1 · 1.9k · 41 current installs · 42 all-time installs
byxiaofu@3coco3
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description match the included Playwright-related packages (playwright-extra, puppeteer-extra-plugin-stealth), so purpose and declared dependencies largely align. However: package.json does not include the actual Playwright binary/package (playwright) nor Chromium; SKILL.md says Playwright and Chromium must be installed in the skill directory but there is no install spec to do that. More importantly, index.js does not implement scraping itself but calls an external script 'scripts/playwright-stealth.js' which is not present in the package manifest — this is an unexplained gap.
Instruction Scope
index.js uses child_process.execSync to run: node scripts/playwright-stealth.js "<url>". The URL argument is inserted into a shell command without escaping/sanitization, creating a straightforward command-injection vector if an attacker supplies a crafted URL. The runtime behavior therefore goes beyond the SKILL.md prose (which describes scraping) by delegating to an external script that isn't provided — that missing artifact and the unsanitized shell invocation are clear scope/security concerns.
Install Mechanism
There is no install spec (no automated install steps). package.json lists dependencies but omits 'playwright' and any script to fetch Chromium; SKILL.md says Playwright and Chromium must be installed in the skill directory, leaving manual setup to the operator. Lack of an install step is lower risk than arbitrary downloads, but it also means required runtime artifacts are missing unless the user performs manual installs.
Credentials
The skill declares no required environment variables or credentials and the code does not reference env vars. The absence of requested secrets is appropriate for a scraper-only skill.
Persistence & Privilege
always:false and no special persistence or cross-skill configuration changes are requested. The skill runs as a normal MCP server and does not request elevated platform privileges.
What to consider before installing
Don't install this as-is. Key issues: (1) index.js expects scripts/playwright-stealth.js which is not included — that missing file means the package is incomplete and could be replaced or modified to run arbitrary code; (2) the code runs execSync with the user-provided URL interpolated into a shell command, opening a command-injection risk; (3) package.json omits the Playwright package and Chromium install steps the SKILL.md requires. Before trusting this skill, ask the author to provide the missing scripts, include a clear install script or package playwright properly, and remove shell interpolation (use child_process.spawnFile or pass args as an array, and validate/escape input). If you must run it, only do so in a well-isolated sandbox after auditing the missing script and replacing execSync with a safer execution pattern.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Playwright Stealth Scraper
A high-performance MCP skill for OpenClaw that bypasses anti-bot measures using Playwright Extra and Stealth plugin.
Features
- Stealth Mode: Uses
puppeteer-extra-plugin-stealthto mimic real browser behavior. - Dynamic Content: Full JavaScript execution support for SPA and React-based sites.
- Flexible Options: Custom viewport and User-Agent spoofing.
Tools
stealth_scrape
Scrapes any URL with advanced bot detection bypass.
url: The target website address.
Installation
Requires Playwright and Chromium to be installed in the skill directory.
Files
5 totalSelect a file
Select a file to preview.
Comments
Loading comments…