Luke Agent Browser Clawdbot
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on sensitive sites, the agent could submit forms, change settings, or trigger purchases/posts depending on the user's session and instructions.
The skill exposes direct browser interaction commands that can click, type, and submit content on websites. This is central to the stated purpose, but it can have real effects on logged-in accounts.
agent-browser click @e2 agent-browser fill @e3 "text" agent-browser type @e3 "text" agent-browser press "Enter"
Use it only for clearly scoped tasks and require explicit user confirmation before actions that buy, post, delete, send, or change account data.
Saved auth files could let later browser automation act as the logged-in user, and mishandling those files could expose sessions.
The documented workflow can persist and reload cookies/storage, which may represent authenticated website sessions.
agent-browser state save auth.json # Save cookies/storage agent-browser state load auth.json # Load (skip login)
Store auth state files securely, avoid sharing them, delete them when no longer needed, and use separate low-privilege test accounts when possible.
The reviewed skill text is benign, but the actual behavior depends on the npm package and downloaded browser/dependencies installed on the user's machine.
The skill is instruction-only but asks the user to install and run an external CLI and browser dependencies that are not included in the reviewed artifacts.
npm install -g agent-browser agent-browser install # Download Chromium agent-browser install --with-deps # Linux: + system deps
Verify the npm package and GitHub source before installing globally, prefer pinned versions where possible, and avoid running install commands with elevated privileges unless necessary.