Stealth Browser
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill openly tries to bypass website bot protections and has unsafe command handling that could let a crafted URL run shell commands on the host.
Do not install this in a normal environment unless you specifically need an authorized stealth-browser testing tool. At minimum, fix the command-injection bug, make dependency installation explicit, restrict target URLs/domains, and run it in a sandboxed disposable environment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could use this to access protected sites in ways that violate site rules or trigger abuse, legal, or account-risk consequences.
The skill is not merely ordinary browsing; it explicitly advertises evading anti-bot and CAPTCHA protections.
Uses Playwright Extra with Stealth Plugin to mask automation signatures... Bypasses Cloudflare, reCAPTCHA, and most bot detection.
Use only for authorized testing or scraping; add domain allowlists, rate limits, and explicit user confirmation before accessing protected sites.
A crafted URL could cause arbitrary commands to run under the user's agent account.
User-provided URL strings are joined into a shell command without quoting or escaping, allowing shell metacharacters in a URL to become commands.
const urlList = urls.join(' '); const result = runBrowser(`${action} ${urlList}`); ... execSync(`node "${scriptPath}" ${args}`, {Replace execSync string execution with spawn/execFile using an argument array, and validate URLs to safe schemes such as https/http before launching the browser.
External dependency code may be fetched during skill loading before the user has an explicit install-review step.
The skill automatically runs npm install during load, even though the registry presents it as having no install spec.
async onLoad() { ... if (!fs.existsSync(nodeModulesPath)) { ... execSync('npm install', { cwd: skillDir, stdio: 'inherit' }); }Declare the install step clearly, prefer a reviewed install spec, use locked dependency installation such as npm ci, and avoid automatic package installation on load.