Agent Browser
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked on a real account, the agent could submit forms, click buttons, upload or download files, or otherwise change website state beyond what the user intended.
The skill gives the agent broad, mutation-capable browser authority across arbitrary websites; the artifacts present safety controls such as allowlists as optional rather than required.
Use when interacting with websites — navigating pages, filling forms, clicking buttons... downloading files, or automating any browser task. Triggers on... 'login to a site'...
Use a domain allowlist and action policy, require explicit confirmation before login, submissions, purchases, posting, uploads, or account changes, and prefer a disposable browser profile.
Saved passwords, cookies, or an existing browser profile could let the agent continue acting as the user on websites after the initial login.
The documented commands can store passwords, save and reload session cookies/localStorage, and attach to an existing Chrome profile; the artifacts do not define credential scope, storage protections, or retention.
agent-browser auth save github --url https://github.com/login --username user --password-stdin ... agent-browser state save auth.json # Save cookies/localStorage ... agent-browser --auto-connect open <url> # Auto-discover Chrome
Avoid saving credentials unless necessary, use a separate low-privilege browser profile, delete saved state promptly, and verify where and how the auth vault stores secrets before use.
Installing the skill can execute external package code with the user's local privileges, so a compromised or different npm package version could affect the machine.
The setup script globally installs whatever npm package version resolves at run time and then runs its browser installer, without a pinned version, hash, lockfile, or reviewed package source in the supplied artifacts.
npm install -g agent-browser ... agent-browser install --with-deps 2>/dev/null || agent-browser install
Pin the package version, provide a trusted source/homepage and lockfile or checksum, and install in a sandbox or disposable environment until the package provenance is verified.
A malicious webpage could include text that attempts to steer the agent away from the user's real instructions.
The skill reads arbitrary webpage content into the agent context, and its AI-safety content-boundary control is documented as optional.
agent-browser snapshot -i ... agent-browser get text body > page.txt ... export AGENT_BROWSER_CONTENT_BOUNDARIES=1 # Wrap output for AI safety
Enable content boundaries, treat webpage text as untrusted, and do not let page-provided instructions override the user's instructions without confirmation.