Safety Report

Playwright Scraper Skill

Name: Playwright Scraper Skill
Rating: 3 (25 reviews)
Author: waisimon

Playwright-based web scraping OpenClaw Skill with anti-bot protection. Successfully tested on complex sites like Discuss.com.hk.

13,581Downloads

126Installs

25Stars

1Versions

API Integration4,971 Browser Automation1,737 Web Scraping958 Legal & Compliance738

Security Analysis

medium confidence

Suspicious0.08 risk

The skill's code and instructions match a Playwright-based scraper, but the registry metadata omits required runtime dependencies (Node/Playwright) and the SKILL.md encourages anti-bot evasion tactics (proxies/CAPTCHA services) — a coherent scraper but with metadata and disclosure gaps you should understand before installing.

Feb 11, 202613 files3 concerns

Purpose & Capabilityconcern

The skill's name, description, SKILL.md and bundled scripts are coherent with a Playwright-based web scraper that implements anti-bot/stealth techniques. However, the registry metadata claims "Required binaries: none" and "instruction-only" while the documentation and scripts clearly require Node.js/npx and Playwright (and download Chromium). The missing declaration of those runtime dependencies is an inconsistency that matters for installation and security posture.

Instruction Scopenote

SKILL.md and the scripts instruct the agent to install dependencies (npm install, npx playwright install chromium) and run local JS scripts that (a) alter navigator properties to hide automation markers, (b) set UA, (c) save screenshots/HTML, and (d) optionally use proxies/CAPTCHA services in future. All of these are within the stated scraping purpose. The instructions do encourage evasive techniques (proxies, CAPTCHA solving) which enable circumvention of anti-bot controls — that is legitimate for scraping but increases misuse risk. The scripts do not exfiltrate data to external endpoints or read arbitrary system files beyond writing screenshots/HTML to disk.

Install Mechanismnote

There is no registry install spec, but package.json/package-lock are present and point to Playwright from the public npm registry (resolved to known packages). Installation uses standard npm and npx playwright install chromium which will download browser binaries. No remote arbitrary download URLs, URL shorteners, or personal servers were used in the manifest. This is a common but non-trivial install step (large browser download, network access).

Credentialsok

The skill does not request secret environment variables or credentials. The scripts accept non-sensitive env vars (WAIT_TIME, SCREENSHOT_PATH, HEADLESS, USER_AGENT, SAVE_HTML). SKILL.md mentions future CAPTCHA/proxy integrations (which would require service keys) but these are not present in the current code. Current env/credential requests are proportionate to the stated purpose.

Persistence & Privilegeok

The skill is not always-included and is user-invocable. It does not request elevated system privileges or modify other skills or global agent configuration. Running the scripts will write files (screenshots, HTML) within the working directory or provided paths — expected behavior for a scraper.

Guidance

This package appears to be a legitimate Playwright-based scraper and the code implements stealth techniques to evade anti-bot protections. Before installing or running it: - Be aware of the metadata mismatch: you will need Node (recommended v18+), npm/npx, and Playwright; the skill will download Chromium (significant disk + network). The registry entry did not declare these required binaries. - Run in an isolated environment (container/VM) if you want to limit risk from running untrusted code and browser binaries. - Review the scripts yourself (they are small and included) — they do not call external C2 endpoints or exfiltrate secrets, but they do modify navigator properties to hide automation markers and encourage use of proxies/CAPTCHA-solving in future. - Avoid supplying any sensitive API keys (anti-captcha, proxy credentials) unless you trust the code and the maintainer; those integrations would increase risk if added later. - Consider legal and terms-of-service risks: the skill actively helps bypass anti-bot measures (proxies, headful mode, navigator masking). Using it against sites that disallow scraping can violate laws or terms. If you want to proceed, ensure Node/npm are installed, inspect package.json/package-lock, run npm install and npx playwright install chromium in a controlled environment, and test on benign pages first.

Latest Release

v1.2.0

Initial ClawHub release: Pure Playwright with anti-bot protection, bilingual docs (EN/ZH), successfully tested on Discuss.com.hk

Popular Skills

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @waisimon on ClawHub