Is guoqiao/url2png safe?
https://github.com/openclaw/skills/tree/main/skills/guoqiao/url2png
guoqiao/url2png is a straightforward URL-to-PNG screenshot skill built on the legitimate shot-scraper tool by Simon Willison. The SKILL.md contains no prompt injection, persona overrides, or hidden directives, and no exfiltration was detected during sandbox monitoring. The primary risks are operational rather than adversarial: the skill installs a full Chromium browser via an external PyPI package, declares itself always-active in agent context, and passes unvalidated URLs to Chromium — creating SSRF exposure on server deployments and a theoretical local file read vector via file:// URLs.
Category Scores
Findings (8)
MEDIUM Chromium browser installation via remote PyPI package -15 ▶
install.sh runs 'uvx shot-scraper install --browser chromium', which downloads shot-scraper from PyPI and then downloads Chromium binaries via playwright. This introduces a large external dependency chain. A compromise of the shot-scraper PyPI package or playwright's Chromium CDN would result in malicious binaries being installed on the user's machine.
MEDIUM SSRF potential via agent-navigated Chromium on server deployments -15 ▶
The skill instructs the agent to pass any user-specified URL to Chromium for rendering. On server or cloud deployments, Chromium launched by the agent could reach internal metadata endpoints (AWS IMDSv1 at 169.254.169.254), internal services, or file:// paths if the agent does not sanitize the URL argument. The skill performs no URL validation.
LOW 'always:true' skill permanently occupies agent system prompt -7 ▶
The SKILL.md metadata declares 'always:true', meaning this skill's full instruction block is injected into the agent system prompt on every session regardless of whether the user intends to use it. This consumes context window tokens permanently and keeps screenshot-related instructions always active, potentially triggering on ambiguous user requests.
LOW Overly broad fuzzy trigger pattern -5 ▶
The trigger 'Save this url as image ...' uses trailing ellipsis suggesting intentional fuzzy matching. This could cause the skill to activate when users make requests about saving URLs in other contexts (bookmarks, downloads, etc.), leading the agent to unexpectedly launch Chromium.
LOW Unquoted shell variable in url2png.sh -8 ▶
The outdir variable is used unquoted in 'mkdir -p ${outdir}' and 'cd ${outdir}'. If the agent or user passes a value containing spaces, special characters, or glob patterns as the second argument to url2png.sh, this could cause unexpected shell behavior. Direct code injection requires the second argument to be attacker-controlled.
LOW Chromium can navigate to file:// and internal URLs -18 ▶
shot-scraper/Chromium does not restrict URL schemes by default. If an attacker can influence the URL passed to url2png.sh (e.g., through a crafted user message), they could cause Chromium to render a local file (file:///etc/passwd) or an internal service and receive the rendered PNG as output, effectively exfiltrating local file content through the screenshot.
LOW .clawhub/lock.json references a different skill -7 ▶
The .clawhub/lock.json bundled in the skill directory records an installation of 'academic-research-hub' v0.1.0. This file is from the skill author's development machine and was accidentally included in the published skill bundle. It is not a security issue but indicates the author's development practices include bundling environment-specific files.
INFO Canary file path accesses attributed to monitoring infrastructure -10 ▶
Canary files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed at two points during the audit. Timing correlation (first batch at epoch 1771914703.390 alongside baseline 'ss -tunap'; second batch at 1771914728.849 immediately following skill-file reads by the audit harness) indicates these are oathe platform reads for baseline and final integrity verification, not skill-initiated. Canary integrity confirmed intact.