Skillv2.0.0

ClawScan security

Dexter Browser Automation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 15, 2026, 2:53 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill’s code and instructions match its stated purpose (Playwright-based browser automation); nothing in the package appears designed to do something other than automate browsers, but it can perform high-risk actions (form fills, clicks, arbitrary JS) so review and run in a sandboxed environment.
Guidance: This package is coherent for browser automation, but exercise caution before installing or running it: - Run it in a sandbox/container (it launches headless Chromium and uses --no-sandbox and other args). - Audit the code (especially cdp.py's eval path) before using it in production; arbitrary JS evaluation can be used to exfiltrate data or perform actions on pages. - Avoid supplying real credentials to its examples or commands unless you trust the environment and the site; prefer using test accounts. - Install Playwright and browsers in a controlled way as documented, and don't run untrusted pages in the same host session that has sensitive access. - Note provenance: there is no homepage and owner is an opaque ID; if provenance matters, prefer a well-known/verified source or ask the publisher for more details.

Review Dimensions

Purpose & Capability: okName/description promise Playwright-based browser automation and the included scripts (init, screenshot, scrape, extract, interact, cdp) implement that. No unrelated credentials or config paths are requested. The skill does require Playwright and browser binaries (documented in SKILL.md) even though the registry metadata lists no required binaries — a minor metadata mismatch but not inconsistent with purpose.
Instruction Scope: noteSKILL.md and scripts keep to browser automation tasks (navigation, screenshot, scraping, form interaction). However the code exposes an 'eval' command that runs arbitrary JS in the page context, and the references include 'stealth' techniques (removing navigator.webdriver and special browser args) intended to evade anti-bot checks. Examples also show filling login forms (i.e., handling secrets). These are legitimate for an automation tool but expand the blast radius if misused — arbitrary JS + form-filling can be used to exfiltrate or trigger actions on authenticated sites.
Install Mechanism: okThere is no automated install spec (instruction-only), which minimizes installer risk. The SKILL.md and init.py require that Playwright be installed (pip install playwright && playwright install chromium). No downloads from untrusted URLs or archived extracts are present in the package.
Credentials: okThe package does not request environment variables, secrets, or unrelated credentials. The scripts operate using the runtime environment and browser automation only. The examples' use of passwords is illustrative and not a declared secret requirement — users must take care not to pass real credentials to the tool unless intended.
Persistence & Privilege: okalways:false and user-invocable defaults are in place. The skill does not attempt to modify other skills or global agent configuration and does not request permanent presence or elevated platform privileges.