Trust Assessment
clawbrowser received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 2 high, 3 medium, and 0 low severity. Key findings include Execution of `npm install` not covered by declared permissions, Unpinned dependency `@latest` used in setup instructions, Skill instructs granting `clipboard-read` permission to browser context.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 49/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Execution of `npm install` not covered by declared permissions The skill instructs the agent to run `npm install -g @playwright/cli@latest` as a setup step. However, the skill's declared permissions are `Bash(playwright-cli:*)`, which explicitly limits Bash execution to `playwright-cli` commands. Attempting to execute `npm` would either be a command injection if the underlying Bash tool does not permit `npm`, or an undeclared excessive permission if it does. Remove `npm install` instruction from the skill if it's not intended for agent execution. If `npm` execution is required, explicitly declare `Bash(npm:*)` or `Bash(*)` in the skill manifest and justify its necessity. | LLM | SKILL.md:10 | |
| HIGH | Skill instructs granting `clipboard-read` permission to browser context The skill provides an example demonstrating how to grant `clipboard-read` permission to the browser context using `playwright-cli run-code`. If the agent utilizes this capability, it could read the contents of the user's clipboard, potentially exfiltrating sensitive data or credentials that the user has copied. Remove or heavily restrict examples that grant highly sensitive browser permissions like `clipboard-read`. If this functionality is absolutely necessary, add strong warnings and ensure the agent is designed to handle such data securely and only with explicit user consent. | LLM | SKILL.md:66 | |
| MEDIUM | Unpinned dependency `@latest` used in setup instructions The setup instruction `npm install -g @playwright/cli@latest` uses the `@latest` tag for the `@playwright/cli` package. Using unpinned dependencies can introduce supply chain risks, as a future version of the package could contain vulnerabilities or malicious code without explicit review. It is best practice to pin dependencies to a specific version. Pin the `@playwright/cli` dependency to a specific version (e.g., `npm install -g @playwright/cli@1.x.y`) to ensure consistent and secure installations. | LLM | SKILL.md:10 | |
| MEDIUM | Skill teaches use of `playwright-cli network` which can expose sensitive data The skill instructs the agent to use `playwright-cli network` for 'Devtools-style introspection' and to 'inspect network requests'. Network requests frequently contain sensitive information such as authentication tokens, cookies, and other user data. If the agent is instructed to use this command on sensitive pages and then outputs the results, it could lead to data exfiltration or credential harvesting. Add warnings about the sensitive nature of network data. Instruct the agent to filter or redact sensitive information before outputting network logs, or restrict its use to non-sensitive contexts. | LLM | SKILL.md:64 | |
| MEDIUM | Skill teaches broad `playwright-cli run-code` for arbitrary JavaScript execution The `playwright-cli run-code` command allows the execution of arbitrary JavaScript within the browser context. While sandboxed to the browser, this capability is very powerful and could be misused by an agent to manipulate the DOM, extract data, or perform other actions not explicitly intended, potentially leading to data exfiltration or other browser-side attacks. This broad capability is implicitly allowed by `Bash(playwright-cli:*)`. Provide clearer guidance on the safe and intended use of `playwright-cli run-code`. Consider if such broad arbitrary JavaScript execution is truly necessary for the skill's core functionality, or if more specific `playwright-cli` commands could achieve the same goal with less risk. | LLM | SKILL.md:66 |
Scan History
Embed Code
[](https://skillshield.io/report/c108e19983262264)
Powered by SkillShield