download-webpage-as-pdf
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: download-webpage-as-pdf Version: 0.1.3 The skill provides a legitimate recipe for capturing high-fidelity PDFs of webpages using the agent-browser CLI. It uses a JavaScript snippet within the browser context to handle lazy-loaded images, remove cookie banners, and ensure all assets are decoded before printing. The instructions in SKILL.md are transparent, well-documented, and focused entirely on the stated archival purpose without any signs of malicious intent or data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent will execute a DOM-manipulation script in the webpage to force images to load before producing the PDF.
The recipe runs JavaScript inside the opened page through agent-browser eval. The script is disclosed and purpose-aligned with loading images before printing, but it is still browser-context code execution.
agent-browser eval "(async () => { ... document.querySelectorAll('img').forEach(img => { ... }); ... window.scrollTo(0, y); ... })()"Use it only for pages the user asked to capture, and avoid adapting the eval command to include untrusted or user-supplied JavaScript.
A PDF could reflect whatever the default agent-browser session can access, including personalized or logged-in page content if that session has such state.
The instructions acknowledge shared/default agent-browser sessions. A default browser session may carry persistent browsing state, so users should be aware when capturing private or authenticated pages.
If multiple test/agent runs may share the host's agent-browser, isolate each invocation with `agent-browser --session <unique-name>` ... Single-user one-off captures can omit the flag and use the default session.
Use a unique agent-browser session for untrusted sites, shared machines, or captures where account/session isolation matters.
The skill may fail or behave differently depending on which local versions of these tools are installed.
The skill relies on external command-line tools, while the provided registry metadata says there are no required binaries and no install spec. This is a dependency/provenance clarity issue, not evidence of malicious behavior.
`agent-browser open <URL>` ... `pdfinfo /tmp/page.pdf` ... `qpdf /tmp/page.pdf --pages . 1-9 -- /tmp/page-trimmed.pdf` ... `gs -sDEVICE=pdfwrite`
Install trusted versions of agent-browser and any optional PDF tools, and consider declaring these binaries as requirements.