Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agent Vision Scraper
v1.0.0Dockerized AI-powered web scraper using Playwright with virtual display and vision-based captcha solving, no third-party captcha services needed.
⭐ 0· 540·7 current·8 all-time
by@tedtalk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a Dockerized Playwright agent, with a Docker base image noted in SKILL.md/README, VNC, and vision-based captcha solving — which aligns with the included code that launches Playwright with stealth plugins. However, SKILL.md and README instruct building a Docker image (mentioning a Dockerfile and base image) but the file manifest does not include a Dockerfile. Metadata declares no required env vars or credentials while README/SKILL.md explicitly reference optional LLM API keys (OPENAI_API_KEY / ANTHROPIC_API_KEY). These omissions are inconsistent with the declared requirements.
Instruction Scope
Runtime instructions direct the agent to perform arbitrary web automation and to 'crack' graphical captchas by sending screenshots to a vision-enabled LLM via AgentBrowser. The code takes screenshots and delegates actions to AgentBrowser.execute, which likely transmits page images/content to external model endpoints. The SKILL.md examples explicitly show submitting credentials (e.g., admin/123456) into login forms — the tool is designed to bypass anti-bot measures and interact with login forms, which can be used for legitimate automation but also for account takeover or scraping protected content. The instructions also recommend running with VNC port 5900 exposed and no VNC password, increasing risk of session observation. There is no explicit description of what external endpoints receive screenshots or what data is logged or retained.
Install Mechanism
There is no install spec in registry metadata (instruction-only), but the skill includes code and a package.json which imply npm dependencies. SKILL.md/README instruct building a Docker image (docker build -t agent-scraper-image .) yet the repository does not include the Dockerfile referenced in the docs — that's an inconsistency. The absence of an explicit, provided Dockerfile means users may create or obtain a separate Dockerfile to run this code, increasing risk if they follow undocumented build steps from elsewhere. The included dependencies (playwright-extra, puppeteer stealth) are expected for the stated purpose.
Credentials
Metadata lists no required environment variables, but README/SKILL.md instruct creating a .env and mention OPENAI_API_KEY and ANTHROPIC_API_KEY as optional for calling external vision models. The code itself does dotenv.config() and uses AgentBrowser which will likely require or use API keys; those env vars are therefore effectively required for the tool's full behavior. The docker run examples mount an .env into the container (--env-file .env) which can expose any host secrets placed there to the container; that is disproportionate relative to the metadata that declared no secrets. In addition, binding host port 5900 with no password exposes the running session to the network. Together, these practices create opportunities for accidental or intentional exfiltration of sensitive data (page screenshots, credentials entered into pages, secrets from .env).
Persistence & Privilege
The skill does not request always:true and does not claim to modify other skills or system-wide config. It is user-invocable and allowed to be invoked autonomously (default), which is normal. However, the recommended runtime (docker run -p 5900:5900 --env-file .env) requires network and file exposure that increases blast radius when the skill executes (open VNC port, injected environment file). This is not a permissions-plane privilege request in metadata, but it materially increases operational risk when run.
What to consider before installing
Do not run this image blindly. Key things to check before installing or executing:
- Ask for the missing Dockerfile and inspect it: the registry files reference a Dockerfile but none is provided — do not build or run a container from an unknown Dockerfile or from untrusted sources.
- Understand where screenshots and page data are sent: the code delegates to AgentBrowser.execute which will call an external model service; confirm which endpoints are used and whether you control the API key. Treat page screenshots as sensitive (they may contain credentials or PII).
- Avoid handing over sensitive .env values: the run examples mount an .env into the container. Do not place secrets (AWS, DB, SSH keys, etc.) into .env that is passed to untrusted containers.
- Harden VNC: the examples expose port 5900 with no password. If you must run, bind VNC only to an isolated network, require authentication, or avoid exposing it to host network.
- Consider offline/air-gapped testing: run the container in an isolated network or VM without network access to verify behavior before exposing it to the internet or production data.
- If you need the capability, prefer a vetted implementation: request the missing Dockerfile, a signed release, and clear documentation about which LLM endpoints are used and how long data is retained. If the skill will see login pages, do not provide real credentials during testing.
Given the inconsistencies and potential for sensitive data leakage, treat this skill as suspicious and require additional transparency and controls before using it with real data or secrets.Like a lobster shell, security has layers — review code before you run it.
latestvk97a1rgwr9wedrt8f6eatyf1gs827spt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.