Skillv1.0.0

ClawScan security

Stealth Browser · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 19, 2026, 11:01 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated purpose (stealthy headless browsing) but includes risky behaviors (auto-installing npm deps, spawning child processes with unescaped user input, running Chromium with --no-sandbox and writing files in /tmp) that warrant caution before installation.
Guidance: This skill appears to do what it claims (stealth browsing), but there are a few practical risks you should weigh before installing: - Command-injection risk: The skill constructs shell commands by inserting user-provided URLs/arguments directly into execSync calls. If untrusted input reaches those args, it could be abused to run arbitrary shell commands. Ask the author to properly escape/avoid shell interpolation or run the child process with execFile/spawn and argument arrays. - Auto-install side-effect: onLoad runs 'npm install' in the skill directory, which will fetch many packages from the public npm registry and place them on disk. That means code is pulled and executed at load time — consider running this in an isolated environment or vetting the package-lock.json and packages first. - Sandbox flags: The browser is launched with --no-sandbox and --disable-setuid-sandbox. Those flags are often required in certain environments but reduce process isolation; avoid running this on a high-value host or run inside a hardened container. - Filesystem and network access: The skill writes output to /tmp and performs arbitrary network requests to target sites (including sites behind bot protections). Ensure this behavior is acceptable for your environment and that you are not violating terms of service or local policies. Recommendations: only use in an isolated VM/container, review/verify package-lock.json or run npm install in an offline/vetted mirror, request the author to fix unsafe execSync usage (use argument arrays or escaping), and confirm you are comfortable with automatic dependency installation and running Chromium with the provided flags.

Review Dimensions

Purpose & Capability: okName, README, SKILL.md, package.json and code all consistently implement a headless browser that tries to evade bot-detection (playwright-extra + stealth plugin). Requesting no env vars and no exotic system access is coherent; it does expect a system Chromium at /usr/bin/chromium as documented.
Instruction Scope: concernRuntime code (index.js -> execSync -> stealth-browser.js) executes arbitrary navigation to URLs provided by users and writes screenshots/PDFs to /tmp. The runBrowser command constructs a shell command by interpolating args directly into execSync without escaping — this creates a risk of shell/command injection if input is not strictly validated. The onLoad hook will also run 'npm install' in the skill directory, which is an automatic side-effect not described in SKILL.md.
Install Mechanism: noteThere's no declared install spec, but index.js's onLoad automatically runs 'npm install' if node_modules is missing. That will download and install many dependencies from the public npm registry (package-lock.json lists many packages). Using npm is expected here, but automatic installation at skill load time increases risk because new code is fetched/executed in the agent environment without an explicit install step.
Credentials: okThe skill declares no required environment variables or credentials and the code doesn't access external credentials. It does require network access to fetch target websites and filesystem write access to /tmp for screenshots/PDFs; those are proportional to its stated functionality.
Persistence & Privilege: okalways is false and the skill does not request system-wide settings or modify other skills. The onLoad npm install behavior gives it the ability to modify its own directory (create node_modules), which is typical for Node-based skills but worth noting.