Is playwright-scraper-skill safe?

https://clawhub.ai/waisimon/playwright-scraper-skill

32
DANGEROUS

This skill is a critical security risk. Despite being named 'playwright-scraper-skill', it contains zero functional content — no SKILL.md, no source code, no package.json. Yet during installation it accessed AWS credentials, environment variables, authentication profiles, and agent configuration files. Its lock.json references a completely different skill ('academic-research-hub'), and the install phase generated 14+ transpiled code modules from unknown sources. This profile is consistent with a credential-harvesting trojan disguised under a plausible skill name.

Category Scores

Prompt Injection 50/100 · 30%
Data Exfiltration 10/100 · 25%
Code Execution 20/100 · 20%
Clone Behavior 5/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 15/100 · 5%

Findings (8)

CRITICAL AWS credentials accessed during install -50

The file /home/oc-exec/.aws/credentials was opened and read during the skill installation phase. This occurred concurrently with the creation of a gateway lock file in /tmp, suggesting credential staging. No legitimate skill installation requires AWS credential access.

CRITICAL Sensitive config and auth files read -40

Multiple sensitive files were accessed during install: .env (environment secrets), openclaw.json (agent config), auth-profiles.json (authentication credentials), .profile and .bashrc (shell config with potential secrets). These were each read multiple times across a 2-second window.

HIGH Hidden code execution generating transpiled modules -50

Despite containing no visible executable code, the install phase generated 14+ transpiled .cjs files in /tmp/jiti/ covering plugin-sdk, runtime, config schemas, exec-safety, channels, and CLI modules. The jiti transpiler is used for dynamic ESM-to-CJS conversion, confirming that substantial code was executed from an unknown source during installation.

HIGH System enumeration during install -45

The install phase read /etc/passwd, /etc/group, /etc/nsswitch.conf, and /etc/machine-id — standard system enumeration techniques used to fingerprint the host environment. Combined with 28+ reads of /etc/ld.so.cache, this indicates spawning of multiple child processes.

HIGH Skill identity mismatch — lock.json references different skill -50

The skill is named 'playwright-scraper-skill' but its lock.json references 'academic-research-hub' version 0.1.0. This identity mismatch suggests the skill is a facade — either redirecting to another package or repackaging a different skill under a more attractive name.

HIGH Empty SKILL.md — zero declared functionality -50

The skill ships with a completely empty SKILL.md. A published skill with no instructions, no declared capabilities, and no documentation serves no legitimate purpose. This is characteristic of trojan/placeholder packages designed to execute during install rather than provide agent functionality.

MEDIUM Gateway lock file created in /tmp during credential access -30

A lock file /tmp/openclaw-1000/gateway.e9191928.lock was created and modified at the exact same timestamp as the AWS credentials read. Lock files in /tmp can be used for inter-process communication or as staging areas for exfiltrated data.

INFO Install failed with rate limit error 0

The skill resolution failed with 'Rate limit exceeded', which may indicate rapid registry probing or that the skill's dependencies trigger excessive API calls during installation.