Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Playwright MCP Automation
v1.0.0Launch and operate the Playwright MCP server to let agents browse real websites (login, search, checkout, dashboards) through structured tools. Use when the...
⭐ 0· 337·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description match the included SKILL.md, reference docs, and a simple launcher script that runs the Playwright MCP server. Requested artifacts (persistent profile, storage-state, secrets file, Playwright capabilities) are expected for browser automation.
Instruction Scope
Instructions are explicit about launching MCP, wiring clients, and calling specific MCP tools (browser_navigate, browser_snapshot, browser_run_code, etc.). They do however recommend operationally risky options (e.g., --allowed-hosts=*, exposing --host 0.0.0.0 and a port, reusing Chrome profiles, secrets files and storage.json). Those are within the skill's scope for advanced usage but increase data/host exposure if applied on an untrusted host or without network controls.
Install Mechanism
There is no formal install spec; the script uses exec npx @playwright/mcp@latest which will fetch and run an npm package at runtime. That is coherent with a lightweight instruction-only skill but carries standard supply-chain risk due to fetching an unpinned remote package (@latest). No opaque download URLs or extracted archives are present.
Credentials
The skill declares no required env vars, which matches packaging. The runtime docs reference optional env overrides (PWMCP_*) and recommend secrets storage (storage.json, --secrets /path/.env). Recommending secrets files is expected, but the skill does not itself require credentials — the user must supply them. Users should note the guidance to allow access to existing Chrome profiles and secrets which can expose sensitive data if misused.
Persistence & Privilege
The skill is not forced-always or otherwise privileged. It does not modify other skills or global agent settings. It suggests persistent browser profiles as an option, which is normal for automation, but persistence of profiles can persist credentials across runs and should be managed carefully.
Assessment
This skill appears to do what it says: run a Playwright MCP server and provide guidance for using MCP tools. Before installing or running it, consider:
- Supply-chain risk: the script runs `npx @playwright/mcp@latest` (un-pinned). Prefer pinning to a specific vetted version or using an internal mirror.
- Network exposure: some snippets instruct `--allowed-hosts=*` and `--host=0.0.0.0` which disable DNS rebinding protections and expose the service. Only use those on isolated hosts or behind strict firewalls/tunnels.
- Secrets & profiles: persistent profiles, storage.json, or `--secrets /path/.env` can expose credentials. Keep those files in a secure vault, and avoid reusing an interactive Chrome profile unless you understand the privacy implications.
- Privilege and installs: the skill expects Node.js and Playwright browsers; installing system dependencies may require sudo. Run installs on trusted CI/hosts.
- Operational best practice: review the upstream Playwright MCP repo and pin versions, restrict allowed hosts, and firewall or auth-protect any exposed MCP HTTP endpoint.
If you need higher assurance, ask the author for a reproducible install spec that pins package versions or provide more provenance for the package source.Like a lobster shell, security has layers — review code before you run it.
latestvk97ejv21ajvvxg6prxc5y067fh8284na
License
MIT-0
Free to use, modify, and redistribute. No attribution required.