Skip to main content

web-cap

Enables browser automation for inspecting and interacting with web pages through a command-line interface, enhancing data extraction and testing workflows.

Install this skill

or
0/100

Security score

The web-cap skill was audited on Jun 15, 2026 and we found 13 security issues across 3 threat categories, including 9 high-severity. Review the findings below before installing.

Categories Tested

Security Issues

high line 55

Template literal with variable interpolation in command context

SourceSKILL.md
55- Save repeated or site-specific workflows under `${WEB_CAP_PATH}` as reusable capability scripts.
high line 65

Template literal with variable interpolation in command context

SourceSKILL.md
65- Look under `${WEB_CAP_PATH}/<domain>/` for scripts that match the target site or workflow.
high line 66

Template literal with variable interpolation in command context

SourceSKILL.md
66- Read `${WEB_CAP_PATH}/<domain>/README.md` when it exists before running a saved script.
high line 70

Template literal with variable interpolation in command context

SourceSKILL.md
70- Before writing any file under `${WEB_CAP_PATH}` or a reusable script domain directory, read `references/how-to-write-reusable-scripts.md`.
high line 71

Template literal with variable interpolation in command context

SourceSKILL.md
71- When saving a new reusable script, write it to `${WEB_CAP_PATH}/<domain>/<capability-name>.js`.
high line 204

Template literal with variable interpolation in command context

SourceSKILL.md
204| Reusable capability script | Agent-triggered browser workflow that can accept JSON input and return structured JSON output. | Run explicitly with `web-cap script-execute --script-file <path>`. | `${
high line 205

Template literal with variable interpolation in command context

SourceSKILL.md
205| Page userscript | Page lifecycle script that should run automatically when matching pages load. | Installed with `web-cap userscript install --file <path>` and then injected by the extension. | Sour
high line 207

Template literal with variable interpolation in command context

SourceSKILL.md
207Only reusable capability scripts in `${WEB_CAP_PATH}` are meant to be run with
high line 208

Template literal with variable interpolation in command context

SourceSKILL.md
208`script-execute`. Do not put page userscripts under `${WEB_CAP_PATH}/<domain>/`,
medium line 120

Prompting for password/secret input

SourceSKILL.md
120await page.locator('input[name="password"]').fill(input.password);
low line 226

External URL reference

SourceSKILL.md
226* @match https://example.com/*
low line 243

External URL reference

SourceSKILL.md
243example `https://example.com/*` or `*://*.example.com/docs/*`.
low line 254

External URL reference

SourceSKILL.md
254web-cap userscript list --match-url https://example.com/page
Scanned on Jun 15, 2026
View Security Dashboard
Installation guide →
GitHub Stars 5
Rate this skill
Categorydevelopment
UpdatedJune 15, 2026
openclawapitestingdata-engineerqa-engineerbackend-developergithubdevelopment
edgestorage/web-cap