brave-loggedin-tag-browsing Security Report — Trusted | ClawSafe

5 /100

brave-loggedin-tag-browsing

使用 Brave 瀏覽器（已登入狀態）瀏覽 X/Twitter、Facebook 用戶頁面並提取最新帖子

This is a legitimate social media scraping tool using Playwright for browser automation to extract public posts from X/Twitter and Facebook. No malicious behavior, credential theft, or data exfiltration detected.

Skill Namebrave-loggedin-tag-browsing

Duration56.1s

Enginepi

✓

Safe to install

This skill is safe to use. Minor improvements: fix hardcoded path in dist/index.js and correct the undefined export reference in execute.js.

Findings 2 items

Severity	Finding	Location
Low	Minor path inconsistency Doc Mismatch dist/index.js has hardcoded path /home/shuttle/.config/google-chrome instead of using dynamic os.homedir() like index.js does. This limits portability. const userDataDir = `/home/shuttle/.config/google-chrome`; → Use path.join(os.homedir(), '.config', 'google-chrome') for cross-platform compatibility	`dist/index.js:68`
Low	Undefined export reference Doc Mismatch execute.js imports 'braveBrowseX' from index.js but this function is not exported - only 'braveBrowsePlatform' is exported. `const { braveBrowseX } = require('./index');` → Change to 'braveBrowsePlatform' or export braveBrowseX alias	`execute.js:7`

Resource	Declared	Inferred	Status	Evidence
Browser	`READ`	`READ`	✓ Aligned	Playwright CDP connection to existing browser
Browser	`WRITE`	`WRITE`	✓ Aligned	launchPersistentContext creates new Brave instance
Filesystem	`READ`	`READ`	✓ Aligned	Accesses browser userDataDir via Playwright for session persistence
Shell	`NONE`	`NONE`	—	No subprocess or shell execution detected
Network	`NONE`	`READ`	✓ Aligned	Only connects to x.com and facebook.com for scraping

3 findings

🔗

Medium External URL 外部 URL

https://twitter.com/$

dist/index.js:27

🔗

Medium External URL 外部 URL

https://www.facebook.com/$

dist/index.js:45

🔗

Medium External URL 外部 URL

https://clawhub.com/skills/brave-loggedin-tag-browsing

skill.json:98

File Tree

12 files · 61.3 KB · 1731 lines

JavaScript 5f · 628L JSON 4f · 433L Markdown 2f · 382L TypeScript 1f · 288L

├─ ▾ 📁 dist

│ └─ 📜 index.js JavaScript 227L · 10.6 KB

├─ 📜 cli.js JavaScript 41L · 1.1 KB

├─ 📜 execute.js JavaScript 42L · 1.1 KB

├─ 📜 index.js JavaScript 171L · 6.7 KB

├─ 📜 index.ts TypeScript 288L · 10.9 KB

├─ 📋 package-lock.json JSON 283L · 9.9 KB

├─ 📋 package.json JSON 27L · 600 B

├─ 📝 README.md Markdown 276L · 8.5 KB

├─ 📋 skill.json JSON 105L · 3.9 KB

├─ 📝 SKILL.md Markdown 106L · 3.0 KB

├─ 📜 test-facebook.js JavaScript 147L · 4.7 KB

└─ 📋 tsconfig.json JSON 18L · 455 B

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`playwright`	`^1.58.2`	npm	No	Version has caret range, recommend exact pinning

Security Positives

✓ No shell execution or subprocess usage

✓ No credential harvesting or environment variable access

✓ No data exfiltration to external servers

✓ No base64 encoding or obfuscation

✓ No remote script download (curl|bash, wget|sh)

✓ Uses legitimate Playwright library for browser automation

✓ Documentation accurately describes the scraping functionality

✓ Only accesses publicly available social media data

✓ No supply chain risks - uses well-known playwright package with version pinned

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives