ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lightpanda browser

v1.0.3

Lightpanda browser, drop-in replacement for Chrome and Openclaw default browser - faster and lighter for tasks without graphical rendering like data retrieval. Use it with CDP clients like Playwright or Puppeteer.

3· 2.1k·4 current·5 all-time
by@krichprollsch
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description (headless CDP browser for data extraction) match the included SKILL.md and the install script which downloads a Lightpanda binary and instructs how to run a CDP server. There are no environment variables or credentials requested that would be unrelated to a browser.
Instruction Scope
SKILL.md stays on-topic: it tells the agent how to install, start, and connect to a local CDP endpoint and how to use Playwright/Puppeteer. It does not instruct reading unrelated files, exfiltrating data, or contacting unexpected external endpoints beyond GitHub (for install/checksum) and web targets that the user browses.
Install Mechanism
Install script downloads a nightly binary directly from GitHub releases (well-known host) to $HOME/.local/bin and verifies a SHA256 digest fetched from the GitHub releases API. This is a reasonable, common pattern, but downloading and executing an unvetted nightly binary carries inherent risk. The script's reliance on an asset '.digest' field may be fragile (if absent, install aborts). Requires curl, jq, and sha256sum/shasum.
Credentials
No credentials or sensitive environment variables are requested. The only optional env observed is LIGHTPANDA_DIR to override the install directory — appropriate for an installer. The runtime uses a localhost port for CDP; no external auth or tokens are required by the skill itself.
Persistence & Privilege
Skill is instruction-only (plus an install script) and does not request 'always: true'. It installs a user-local binary (no system-wide privilege escalation) and does not modify other skills or global agent settings.
Assessment
The skill appears coherent with its stated purpose, but before installing consider: (1) The installer fetches and executes a nightly binary from GitHub releases — nightly builds are unvetted and could contain bugs or malicious changes. Only proceed if you trust the lightpanda-io project; review the upstream GitHub repository and recent release notes/commit history. (2) The script verifies a SHA256 digest obtained from the GitHub API; verify the repository and asset yourself if possible. (3) The binary runs as your user and exposes a CDP server on localhost (ws://127.0.0.1:9222) — be careful not to bind it to public interfaces and limit access to trusted processes. (4) The install requires curl, jq, and sha256sum/shasum; the digest lookup may fail if the release asset lacks the expected 'digest' field. If you want extra safety, run Lightpanda inside a container or isolated VM, or prefer official/stable builds instead of nightly binaries. Also note a minor metadata inconsistency: registry metadata listed no source/homepage, but SKILL.md points to a GitHub repo — confirm the canonical upstream project before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ac7mmdvm1mytw20g11n0hy980zzc7
2.1kdownloads
3stars
4versions
Updated 6h ago
v1.0.3
MIT-0
@krichprollsch
latest
Download

Lightpanda

Use instead of Chrome/Chromium and Openclaw default browser for data extraction and web automation when you don't need graphical rendering.

Lightpanda is a headless browser optimized for speed and low resource usage. It exposes a CDP (Chrome DevTools Protocol) endpoint that works with standard automation libraries.

Alternative to built-in web search

When the built-in Web Search tool is unavailable, or when you need more control over search results (e.g., following links to extract full page content), you can use Lightpanda with DuckDuckGo as an alternative. Prefer the built-in Web Search tool when it is available and sufficient for your needs.

Install

bash scripts/install.sh

Lightpanda is available on Linux and macOS only. Windows is not supported.

The binary is a nightly build that evolves quickly. If you encounter crashes or issues, run scripts/install.sh again to update to the latest version (max once per day).

If issues persist after updating, open a GitHub issue at https://github.com/lightpanda-io/browser/issues including:

  • The crash trace/error output, or a description of the unexpected behavior (e.g., missing or incorrect data)
  • The Playwright/Puppeteer script that reproduces the issue
  • The target URL and expected vs actual results

Start the Browser Server

$HOME/.local/bin/lightpanda serve --host 127.0.0.1 --port 9222

Options:

  • --log_level info|debug|warn|error - Set logging verbosity
  • --log_format pretty|json - Output format for logs

Usage

You can connect directly to the CDP websocket via ws://127.0.0.1:9222. You can also get the WebSocket URL via http://127.0.0.1:9222/json/version.

Use the browser as a drop-in replacement for Chrome and the Openclaw default browser. Send CDP commands directly or use Playwright or Puppeteer.

Important to note:

  • Lightpanda executes JavaScript, making it suitable for dynamic websites and SPAs. However, it is under heavy development and may have occasional issues.
  • For web searches, use DuckDuckGo instead of Google. Google blocks Lightpanda due to browser fingerprinting.
  • Lightpanda supports only 1 CDP connection per process. Each connection can create 1 context and 1 page only. No multi-contexts are available. If you need multiple navigations at the same time, start another process with a new port number. Lightpanda is fast to start and stop, so using multiple processes is more performant than multiple tabs on Chrome.
  • The browser resets all context/page on CDP connection close. So keep the websocket connection open throughout a browsing session. You can reuse an existing process for a subsequent connection; you will start with a clean state.
  • On connection, always create a new context and a new page. At the end, close both.

Using with playwright-core

Connect to Lightpanda using playwright-core (not the full playwright package):

const { chromium } = require('playwright-core');

(async () => {
  // Connect to Lightpanda via CDP
  const browser = await chromium.connectOverCDP({
    endpointURL: 'ws://127.0.0.1:9222',
  });

  const context = await browser.newContext({});
  const page = await context.newPage();

  // Navigate and extract data
  await page.goto('https://example.com');
  const title = await page.title();
  const content = await page.textContent('body');

  console.log(JSON.stringify({ title, content }));

  await page.close();
  await context.close();
  await browser.close();
})();

Using with puppeteer-core

Connect to Lightpanda using puppeteer-core (not the full puppeteer package):

const puppeteer = require('puppeteer-core');

(async () => {
  const browser = await puppeteer.connect({
    browserWSEndpoint: 'ws://127.0.0.1:9222'
  });

  const context = await browser.createBrowserContext();
  const page = await context.newPage();

  await page.goto('https://example.com', { waitUntil: 'networkidle0' });
  const title = await page.title();

  console.log(JSON.stringify({ title }));

  await page.close();
  await context.close();
  await browser.close();
})();

Scripts

  • scripts/install.sh - Install Lightpanda binary

Comments

Loading comments...