Back to skill
Skillv0.2.2
ClawScan security
Agent Browser Juan · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 6, 2026, 3:33 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions match a CLI wrapper for a headless browser and do not request unrelated credentials or installs; the behavior is powerful but coherent with the stated purpose.
- Guidance
- This skill appears internally consistent with a headless-browser CLI wrapper. Before installing or granting an agent autonomous access, consider: 1) The recommended install is via npm (npm install -g agent-browser) — verify the package name and publisher on the npm registry / GitHub to ensure you trust the source. 2) The CLI can save/load session state (cookies, auth.json), run arbitrary page JS (eval), and intercept/network-mock requests — all legitimate features for automation but capable of exposing sensitive page data. Avoid using the skill with high-value accounts or sensitive pages unless you trust the package and run it in an isolated environment. 3) If you want to limit risk, do not enable always:true autonomy, restrict when the agent can run the tool, and audit the upstream agent-browser npm/GitHub project and its maintainers before installing.
- Findings
[no-code-files] expected: The scanner found no code files to analyze because this is an instruction-only skill (SKILL.md); that's expected. Review focuses on the documented CLI commands rather than embedded code.
Review Dimensions
- Purpose & Capability
- okName/description (headless browser CLI) aligns with declared prerequisites (node, npm) and the SKILL.md commands (install via npm, snapshot, click, eval, network routing, state save/load). There are no unrelated env vars, binaries, or config paths requested.
- Instruction Scope
- noteSKILL.md provides detailed CLI usage and does not instruct the agent to read unrelated system files or environment variables. However, the CLI exposes powerful capabilities (saving/loading session state, eval JavaScript, network routing/interception, setting headers) which — while expected for browser automation — could be used to access or extract sensitive page data if misused. The instructions themselves stay within the browser-automation scope.
- Install Mechanism
- okThis is an instruction-only skill (no install spec). The docs recommend installing the agent-browser npm package (npm install -g agent-browser) or building from GitHub. Those are typical approaches; nothing in the skill attempts to force-download arbitrary archives or use untrusted URLs within the skill itself.
- Credentials
- okThe skill declares no required environment variables or credentials. The CLI supports handling session files (auth.json) and HTTP basic auth via its own commands, which is appropriate for a browser tool and does not require unrelated secrets from the host environment.
- Persistence & Privilege
- okFlags show always:false and normal model invocation behavior. The skill does not request permanent inclusion or attempt to modify other skills' configs. It can be invoked by the agent as expected for a user-invocable tool.