cside Site Scanner
PassAudited by ClawScan on May 1, 2026.
Overview
The skill matches its website-scanning purpose, but it can load arbitrary pages and inspect cookie/storage metadata, so use it only on authorized sites with a clean browser profile.
This skill is reasonable for website security reviews. Before using it, confirm you are allowed to scan the target, expect the browser to load the page and its third-party scripts, and use a clean or unauthenticated browser profile for sites that may contain personal, account, or payment data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may visit the target site, run the site’s scripts in a browser context, and capture visible page state.
The skill relies on browser automation and page-context JavaScript against a user-supplied URL. This is central to website scanning and no destructive action is instructed, but it can load third-party code and trigger normal page side effects.
Use `browser-use open <url>` ... Use `browser-use screenshot` ... Execute JavaScript in the page to collect:
Scan only sites you own or have permission to test, respect the stated rate limit, and prefer an isolated browser profile for untrusted sites.
If used while logged in, the agent may see cookie names, domains, and security attributes for the scanned site.
Cookie metadata can reveal session or account context if the scan is run in an authenticated browser. The instruction asks for metadata rather than cookie values and is aligned with the stated cookie-security audit.
Extract all cookies: name, domain, secure flag, httpOnly flag, sameSite, expiration
Use a fresh or unauthenticated browser profile for scans, and ensure reports do not include cookie values or other secrets.
Storage metadata from the scanned site could enter the agent’s context or report.
Browser storage can contain application or user-specific data. The artifact only instructs checking usage, not persisting or exporting values, but the data source is sensitive on authenticated pages.
Check localStorage and sessionStorage usage
Keep storage inspection limited to security-relevant metadata and avoid reading, storing, or sharing localStorage/sessionStorage values unless the user explicitly requests it.