Oathe Security Badge

Is skill/playwright-scraper safe?

https://clawhub.ai/skill/playwright-scraper

67
CAUTION

The playwright-scraper skill appears to be a broken web scraping tool that attempts to execute non-existent scripts and contains command injection vulnerabilities. While it doesn't actively exfiltrate data or contain malicious prompt injections, its broken state and security flaws make it unsuitable for use.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 40/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 35/100 · 5%

Findings (6)

HIGH Missing Critical Script File -30

The skill attempts to execute 'scripts/playwright-stealth.js' which does not exist in the skill directory, causing the skill to fail completely when used.

HIGH Command Injection Vulnerability -30

User-provided URL parameter is passed directly to execSync without sanitization, creating potential for command injection attacks.

MEDIUM External Script Execution Attempt -25

Code attempts to execute external scripts outside the main application flow, which could be used for data exfiltration if the script existed.

MEDIUM Broken Skill Functionality -35

The skill is published in a non-functional state, suggesting incomplete development or potential placeholder for malicious functionality.

LOW Mixed Language Documentation -5

Code contains Chinese comments while documentation is in English, which may indicate copy-paste from untrusted sources.

LOW Stealth Scraping Capability -30

If functional, the skill would enable bypassing anti-bot measures which could be used for malicious scraping activities.