cside Site Scanner
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may visit the target site, run the site’s scripts in a browser context, and capture visible page state.
The skill relies on browser automation and page-context JavaScript against a user-supplied URL. This is central to website scanning and no destructive action is instructed, but it can load third-party code and trigger normal page side effects.
Use `browser-use open <url>` ... Use `browser-use screenshot` ... Execute JavaScript in the page to collect:
Scan only sites you own or have permission to test, respect the stated rate limit, and prefer an isolated browser profile for untrusted sites.
If used while logged in, the agent may see cookie names, domains, and security attributes for the scanned site.
Cookie metadata can reveal session or account context if the scan is run in an authenticated browser. The instruction asks for metadata rather than cookie values and is aligned with the stated cookie-security audit.
Extract all cookies: name, domain, secure flag, httpOnly flag, sameSite, expiration
Use a fresh or unauthenticated browser profile for scans, and ensure reports do not include cookie values or other secrets.
Storage metadata from the scanned site could enter the agent’s context or report.
Browser storage can contain application or user-specific data. The artifact only instructs checking usage, not persisting or exporting values, but the data source is sensitive on authenticated pages.
Check localStorage and sessionStorage usage
Keep storage inspection limited to security-relevant metadata and avoid reading, storing, or sharing localStorage/sessionStorage values unless the user explicitly requests it.