Browser Act
ReviewAudited by ClawScan on May 16, 2026.
Overview
Browser Act is a powerful browser automation skill that can use authenticated sessions and asks the agent to trust instructions from an external CLI, so users should review it carefully before installing.
Install only if you trust the browser-act CLI package and understand that it can automate logged-in browser sessions. Prefer isolated profiles, pin/review the CLI version, read any generated guidance critically, and require explicit confirmation before logins, submissions, uploads, or other account-changing actions.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could follow new operational instructions produced by the CLI rather than only the reviewed skill and the user's request.
The skill makes output from the installed CLI an authoritative instruction source before use; that output is not part of the reviewed artifact and could redirect agent behavior.
Before running any `browser-act` command, load the usage guide from the CLI... **Do NOT skip this step**... `get-skills core` provides ... operational directives
Treat CLI-generated operational directives as untrusted until reviewed; do not allow them to override system, developer, or user instructions.
A user would be trusting an unreviewed external package to automate their browser and handle sensitive session data.
The skill directs installation of an external CLI without a pinned package version or hash, while the provided registry context has no install spec or code files for the package that will handle browser sessions.
Install: `uv tool install browser-act-cli --python 3.12`
Use a pinned, reviewed package version and provide an install spec or package provenance before granting browser/session authority.
The agent could use the browser to change website/account state, upload files, or collect network data if the CLI or instructions are misused.
The wildcard exposes the full browser-act CLI surface for high-impact browser actions such as submissions, uploads, and network capture, with no reviewed wrapper limiting targets or commands.
allowed-tools: Bash(browser-act:*) ... fill forms and click through workflows ... upload ... capture XHR/fetch/HAR responses
Restrict commands and target sites where possible, and require explicit user confirmation immediately before login, form submission, file upload, deletion, or account-changing actions.
If misused, the agent could act as the user on logged-in websites or expose sensitive account context through browser automation.
The skill is designed to use authenticated browser state and credentials, but the reviewed artifact does not tightly bound which accounts, sites, credentials, or outputs are in scope.
maintain authenticated sessions ... All cookies, login sessions, page content, credentials, and browser profile data are stored and processed locally
Use isolated browser profiles, authorize only specific sites/accounts, and confirm every account-changing action before it is performed.
Cookies, page context, or prior session information may remain available to later browser-automation tasks.
Persistent browser profiles and session logs are disclosed and useful for the stated purpose, but they may retain sensitive browsing context across runs.
Filesystem read/write at CLI data directory — browser profiles (per-browser isolated) and session logs (rotated each run)
Review where the CLI stores profiles and logs, clear them when no longer needed, and avoid using sensitive accounts unless necessary.
A CAPTCHA or verification image may be sent outside the local machine when that feature is invoked.
The skill discloses an external provider/API flow for verification assistance; the claimed data sent is limited to the challenge image.
optional verification-assistance API (sends only the challenge image, no cookies or page content)
Use verification assistance only when you are comfortable sending the challenge image to the provider, and avoid it for sensitive workflows unless necessary.