Back to skill
Skillv1.0.0
ClawScan security
Playwright MCP Automation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 3:19 AM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions are coherent with its stated purpose (launching and operating a Playwright MCP server for browser automation), but it contains several operational recommendations that increase attack surface if used carelessly (unrestricted allowed-hosts, exposing HTTP transport, using unpinned @latest npm artifact, storing secrets in filesystem).
- Guidance
- This skill appears to do what it says: run a Playwright MCP server and provide guidance for using MCP tools. Before installing or running it, consider: - Supply-chain risk: the script runs `npx @playwright/mcp@latest` (un-pinned). Prefer pinning to a specific vetted version or using an internal mirror. - Network exposure: some snippets instruct `--allowed-hosts=*` and `--host=0.0.0.0` which disable DNS rebinding protections and expose the service. Only use those on isolated hosts or behind strict firewalls/tunnels. - Secrets & profiles: persistent profiles, storage.json, or `--secrets /path/.env` can expose credentials. Keep those files in a secure vault, and avoid reusing an interactive Chrome profile unless you understand the privacy implications. - Privilege and installs: the skill expects Node.js and Playwright browsers; installing system dependencies may require sudo. Run installs on trusted CI/hosts. - Operational best practice: review the upstream Playwright MCP repo and pin versions, restrict allowed hosts, and firewall or auth-protect any exposed MCP HTTP endpoint. If you need higher assurance, ask the author for a reproducible install spec that pins package versions or provide more provenance for the package source.
Review Dimensions
- Purpose & Capability
- okThe name/description match the included SKILL.md, reference docs, and a simple launcher script that runs the Playwright MCP server. Requested artifacts (persistent profile, storage-state, secrets file, Playwright capabilities) are expected for browser automation.
- Instruction Scope
- noteInstructions are explicit about launching MCP, wiring clients, and calling specific MCP tools (browser_navigate, browser_snapshot, browser_run_code, etc.). They do however recommend operationally risky options (e.g., --allowed-hosts=*, exposing --host 0.0.0.0 and a port, reusing Chrome profiles, secrets files and storage.json). Those are within the skill's scope for advanced usage but increase data/host exposure if applied on an untrusted host or without network controls.
- Install Mechanism
- noteThere is no formal install spec; the script uses exec npx @playwright/mcp@latest which will fetch and run an npm package at runtime. That is coherent with a lightweight instruction-only skill but carries standard supply-chain risk due to fetching an unpinned remote package (@latest). No opaque download URLs or extracted archives are present.
- Credentials
- noteThe skill declares no required env vars, which matches packaging. The runtime docs reference optional env overrides (PWMCP_*) and recommend secrets storage (storage.json, --secrets /path/.env). Recommending secrets files is expected, but the skill does not itself require credentials — the user must supply them. Users should note the guidance to allow access to existing Chrome profiles and secrets which can expose sensitive data if misused.
- Persistence & Privilege
- okThe skill is not forced-always or otherwise privileged. It does not modify other skills or global agent settings. It suggests persistent browser profiles as an option, which is normal for automation, but persistence of profiles can persist credentials across runs and should be managed carefully.