download-webpage-as-pdf
PassAudited by ClawScan on May 8, 2026.
Overview
The skill is a coherent webpage-to-PDF recipe, but users should notice that it runs a headless browser, page-context JavaScript, and may use the default agent-browser session.
Install/use this if you are comfortable with an agent opening the requested URL in agent-browser, running the disclosed image-loading script, and writing a local PDF. For private or logged-in pages, use a unique agent-browser session and choose an output path deliberately; verify local tool versions before relying on the recipe.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent will execute a DOM-manipulation script in the webpage to force images to load before producing the PDF.
The recipe runs JavaScript inside the opened page through agent-browser eval. The script is disclosed and purpose-aligned with loading images before printing, but it is still browser-context code execution.
agent-browser eval "(async () => { ... document.querySelectorAll('img').forEach(img => { ... }); ... window.scrollTo(0, y); ... })()"Use it only for pages the user asked to capture, and avoid adapting the eval command to include untrusted or user-supplied JavaScript.
A PDF could reflect whatever the default agent-browser session can access, including personalized or logged-in page content if that session has such state.
The instructions acknowledge shared/default agent-browser sessions. A default browser session may carry persistent browsing state, so users should be aware when capturing private or authenticated pages.
If multiple test/agent runs may share the host's agent-browser, isolate each invocation with `agent-browser --session <unique-name>` ... Single-user one-off captures can omit the flag and use the default session.
Use a unique agent-browser session for untrusted sites, shared machines, or captures where account/session isolation matters.
The skill may fail or behave differently depending on which local versions of these tools are installed.
The skill relies on external command-line tools, while the provided registry metadata says there are no required binaries and no install spec. This is a dependency/provenance clarity issue, not evidence of malicious behavior.
`agent-browser open <URL>` ... `pdfinfo /tmp/page.pdf` ... `qpdf /tmp/page.pdf --pages . 1-9 -- /tmp/page-trimmed.pdf` ... `gs -sDEVICE=pdfwrite`
Install trusted versions of agent-browser and any optional PDF tools, and consider declaring these binaries as requirements.