ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Playwright Scraper Skill 1.2.0

v1.0.0

Playwright-based web scraping OpenClaw Skill with anti-bot protection. Successfully tested on complex sites like Discuss.com.hk.

0· 747·10 current·11 all-time
by@itsjustfred
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included files and usage: two Playwright scripts (simple + stealth), docs, examples, and npm dependency on Playwright. No credentials or unrelated binaries are requested, which is proportionate for a scraper.
Instruction Scope
SKILL.md and scripts instruct the agent to install dependencies (npm / npx playwright install) and run local JS scrapers. The stealth script modifies navigator properties and injects init scripts to hide automation markers (expected for anti-bot evasion). The docs mention future use of proxies and CAPTCHA solvers (2captcha) but those are not implemented in code. Instructions do not read unrelated system files or exfiltrate data to external servers.
Install Mechanism
No formal install spec in registry; documentation tells users to run npm install and npx playwright install chromium. Dependencies come from the public npm registry (package-lock references registry.npmjs.org). This is expected but means npm will fetch and install packages and browser binaries to disk—run in an environment you control.
Credentials
No required environment variables or credentials are declared. Optional env vars (HEADLESS, WAIT_TIME, SCREENSHOT_PATH, SAVE_HTML, USER_AGENT) are reasonable and directly related to scraper behavior.
Persistence & Privilege
Skill does not request always:true and does not attempt to modify other skills or system-wide configs. It runs on demand and writes only local artifacts (screenshots, saved HTML) when instructed.
Assessment
This skill appears to do what it claims: local Playwright scripts for normal and 'stealth' scraping. Before installing or running it: (1) review the included scripts yourself—npm install will fetch Playwright and its dependencies and npx playwright install will download browser binaries; run these in an isolated environment if you are cautious; (2) be aware the stealth script intentionally modifies browser fingerprints to evade bot detection—this is the feature, but could be legally or ethically questionable depending on target sites; (3) the docs mention proxy rotation and CAPTCHA services (2captcha) as planned — those would require third-party credentials and introduce additional risk if added later; (4) no credentials are required now, and no hidden network endpoints are present, but only run code from unknown sources if you trust the author or after manual audit.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a2nzaetfwkwwnxrya5yfdgx81nmw7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments