Clawbrowser
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill The skill is classified as suspicious due to the broad `allowed-tools: Bash(playwright-cli:*)` permission granted in `SKILL.md`, which allows the agent to execute any `playwright-cli` command. This includes high-risk capabilities such as arbitrary network access, file system writes (for screenshots, videos, PDFs), and critically, the `playwright-cli run-code` command, which enables arbitrary JavaScript execution within the browser context. While these capabilities are necessary for browser automation, their power and lack of specific guardrails against misuse by a malicious user prompt make the skill a significant vector for data extraction or other unauthorized actions if the agent is compromised.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could click buttons, fill forms, or upload files in a browser session the user has opened or authenticated.
The skill teaches the agent to perform broad browser actions, including form entry and uploads. This fits the browser-control purpose, but these actions can affect real web accounts or submit data if used on sensitive sites.
Use refs for actions: - `click`, `dblclick`, `hover`, `drag`, `check`, `uncheck`, `select`, `fill`, `type`, `upload`, `eval`
Use the skill for clearly scoped browsing tasks, and give explicit approval before actions that submit, upload, purchase, publish, or change account data.
If used on sensitive pages, injected page scripts or granted browser permissions could expose or alter page data beyond normal browsing actions.
The skill documents Playwright code-injection/debugging features and a clipboard permission example. This is consistent with Playwright troubleshooting, but it is more powerful than simple navigation or clicking.
playwright-cli run-code "async page => await page.context().grantPermissions(['clipboard-read'])"
Reserve eval/run-code and permission-granting commands for trusted pages and debugging tasks where the user understands the effect.
A persistent session may let the agent continue acting as the logged-in user across later commands.
The skill explicitly supports persistent browser sessions that can retain logged-in state. This is expected for browser automation, and the skill also documents isolated mode and cleanup commands.
Sessions behave like persistent profiles: they remember auth state, history, and tabs between commands.
Use named or isolated sessions for different tasks, avoid reusing sensitive logged-in sessions unintentionally, and delete sessions when finished.
Screenshots, PDFs, snapshots, traces, or videos may preserve sensitive information from web pages after the browsing task ends.
The skill stores browser-derived evidence on disk. This is expected for screenshots and debugging, but those files may contain private page content or DOM information.
Save evidence to disk with `screenshot`, `pdf`, or `snapshot` ... Recorded files honor the `outputDir` from your config.
Choose a safe output directory, avoid recording private pages unless needed, and remove saved artifacts that contain sensitive data.
Different users or future installs may receive different Playwright CLI versions and browser binaries.
The setup uses a global npm install with the moving @latest version. This is a normal user-directed setup step for a CLI skill, but it means the installed code can change over time.
npm install -g @playwright/cli@latest
Install from the expected npm source, consider pinning a known-good version in controlled environments, and keep Playwright updated through normal package-management practices.