browser-act
ReviewAudited by ClawScan on May 15, 2026.
Overview
The skill fits its browser-automation purpose, but it relies on an unreviewed external CLI and runtime instructions that can operate logged-in browser sessions, forms, uploads, and persistent profiles.
Install only if you trust the BrowserAct CLI source. Prefer a pinned, audited CLI version, review the runtime guide before following it, use a dedicated browser profile, and require explicit confirmation before logins, form submissions, uploads, account changes, or CAPTCHA assistance.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may follow instructions returned by the installed CLI, not just the instructions visible in the reviewed skill.
The skill makes CLI-generated runtime content mandatory and describes it as containing operational directives, so unreviewed output can influence agent behavior.
Before running any `browser-act` command, load the usage guide from the CLI ... **Do NOT skip this step** ... `get-skills core` provides environment status, available browsers, operational directives
Review the `get-skills core` output before relying on it, and do not allow it to override user intent or platform safety rules.
Installing the skill may lead to running external code that ClawScan did not analyze, and future package changes could alter behavior.
The skill depends on an external CLI package installed without a pinned package version or hash, while no executable code is included in the reviewed artifacts.
Install: `uv tool install browser-act-cli --python 3.12`
Install only from a trusted source, pin and verify the package version, and audit the CLI before using it with logged-in accounts or sensitive browsing.
If used carelessly, the agent could submit forms, upload files, click through account workflows, or collect sensitive browsing data.
The allowed tool pattern grants access to all browser-act subcommands, and the documented operations can mutate web accounts or capture sensitive page/network data.
allowed-tools: Bash(browser-act:*) ... fill forms and click through workflows, type, select, upload, take screenshots, capture XHR/fetch/HAR responses
Use the tool only for user-requested browser tasks and require explicit confirmation before logins, submissions, uploads, deletions, or other account-changing actions.
The agent could interact with accounts where the user is logged in, so mistakes may affect real services or private data.
The skill may use authenticated browser sessions and local Chrome access, which are privileged account contexts, though the artifact says sensitive actions require confirmation.
maintain authenticated sessions ... CDP connection to local Chrome ... requires explicit user confirmation ... Sensitive operations: login, form submission, file upload require user confirmation
Use dedicated browser profiles where possible, avoid high-value accounts unless necessary, and confirm each sensitive action before proceeding.
Cookies, credentials, page content, and logs may remain on the machine after a task and could be exposed to later tasks or local compromise.
The skill creates persistent local browser state and logs that can contain sensitive session and page data reused across tasks.
Filesystem read/write at CLI data directory — browser profiles ... session logs ... All cookies, login sessions, page content, credentials, and browser profile data are stored and processed locally
Store profiles in a controlled location, clear sessions/logs when finished, and avoid using persistent profiles for highly sensitive accounts.
A challenge image may be sent outside the local machine when CAPTCHA-solving assistance is invoked.
The artifact discloses an optional external provider/API flow for verification assistance, with a stated boundary of sending only challenge images.
optional verification-assistance API (sends only the challenge image, no cookies or page content) ... The only outbound data is the captcha challenge image when solve-captcha is invoked
Use verification assistance only when appropriate and authorized, and confirm that no sensitive page content is included in the challenge image.