ClawHub

playwright-download-fix

Security checks across malware telemetry and agentic risk

Overview

The core download helper is useful, but the package also promotes broader browser automation, anti-detection settings, CSP bypass, and a site-specific resume workflow that exceed a simple filename-fix skill.

Review before installing. Prefer using only download-helper.js in your own Playwright script with an explicit safe download directory. Avoid the pw-start alias unless you have reviewed the referenced pw-start.js, and do not use bypassCSP, stealth settings, or the recruitment/resume workflow unless you are authorized to automate that site and understand the privacy implications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
80% confidence
Finding
The skill advertises filesystem- and environment-relevant behavior such as shell aliases, home-directory paths, Node execution, and local download handling, but it does not declare permissions or clearly bound those capabilities. In an agent ecosystem, undeclared capabilities reduce transparency and can cause the skill to run with broader access than users expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior exceeds a narrow filename-fix helper and expands into a general browser launcher with site navigation, anti-detection settings, CSP bypass, and long-lived interactive automation. This mismatch is dangerous because users may invoke a seemingly limited utility while actually granting a much broader automation surface with privacy and security consequences.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The quick-start instructions turn the skill into a reusable Playwright launcher that opens arbitrary URLs and runs local Node scripts from a workspace, which goes beyond the stated file-renaming purpose. Broadening scope in documentation can lead users to run more powerful automation than intended, increasing risk of unauthorized browsing, data collection, or misuse.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documented configuration includes anti-automation evasion measures such as realistic browser fingerprints and related settings that are not necessary for preserving download filenames. Such guidance can facilitate stealthier automation against third-party sites and materially increases abuse potential relative to the declared purpose.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Documenting `bypassCSP: true` introduces a browser capability that weakens site security boundaries and is unrelated to fixing Playwright download filenames. Even when presented as configuration, encouraging CSP bypass can enable script injection or facilitate interaction patterns that a site's policy is designed to restrict.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The troubleshooting section recommends stealth plugins and connecting to a real Chrome instance to avoid automation detection, which is outside the legitimate scope of a filename helper. This advice meaningfully increases the likelihood of covert automation against services that are attempting to detect or restrict such access.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The dispose() method calls removeAllListeners('download'), which removes every download listener registered on the page, not only the one added by this helper. In a larger automation or agent environment, this can disable unrelated security, auditing, or business-logic handlers and create integrity or availability issues through unintended interference.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The example expands a narrowly scoped download-filename helper into general browser automation with anti-detection characteristics, including a forged Chrome user agent and environment shaping. This is dangerous because it normalizes stealth-oriented automation in a skill whose stated purpose does not require it, increasing the likelihood the code is reused for deceptive scraping, bot evasion, or bypassing site controls.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Enabling bypassCSP disables an important browser-enforced defense that restricts script execution and resource loading, and it is unrelated to fixing Playwright download filenames. In a reusable example, this can encourage users to run automation with weakened page security, making it easier to interact with pages in ways that bypass publisher protections or mask unsafe script behaviors during testing.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill claims to only fix Playwright download filenames, but it also hard-codes navigation to a third-party recruitment site and keeps a live interactive browser session open for 30 minutes. That expands the behavior beyond the stated purpose, can induce users to log into an external service inside an automation context, and creates unnecessary risk around credential handling, session misuse, and unexpected data access.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The browser context includes stealth/anti-detection style settings such as a forged Chrome user agent and bypassCSP, which are unrelated to merely preserving original download filenames. In this skill context, these settings make the script more suspicious because they can facilitate evasion of site protections and broaden the blast radius if the script is reused for scraping or account-targeted automation.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill explicitly uses resume downloads as a use case and stores files locally, but it does not provide a clear privacy notice, retention guidance, or warning about handling sensitive personal data. In this context, silent local storage of candidate files can create compliance, confidentiality, and data minimization risks.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
The skill sets Chinese locale and timezone defaults without user choice, which can alter site behavior, affect auditability, and help disguise the true client environment. While not severe on its own, this is unnecessary for filename repair and contributes to deceptive or privacy-impacting automation behavior.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
Forcing a specific Chinese locale and Shanghai timezone without user choice is not necessary for fixing download filenames and can misrepresent the browser environment to third-party sites. While lower severity than credential or code-execution issues, it contributes to covert fingerprint shaping and may alter site behavior, audit trails, or compliance expectations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal