v1.0.0

broswer use skill

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:40 AM.

Analysis

This skill is not clearly malicious, but it gives an agent broad control over your Chrome browser and related tools, including form actions, file uploads, screenshots sent to an LLM, and script execution.

GuidanceInstall this only if you intentionally want an agent to control Chrome. Before use, verify the npm package and extension, use a separate browser profile, require confirmation for clicks, form submissions, uploads, screenshots, script execution, and updates, and avoid using it on sensitive logged-in pages unless you understand where the data may go.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

browser-cli interact click btn-42 --tab 123 ... browser-cli interact fill input-5 "hello world" ... browser-cli interact upload --tab 123 --file-path /path/to/file ... browser-cli interact computer --action left_click

The skill exposes direct browser interaction, form filling, file upload, and pixel-level clicking through shell commands, with no documented confirmation or scoping requirements.

User impactAn agent using this skill could click buttons, submit forms, or upload files in Chrome in ways that affect real websites or accounts.

RecommendationUse only with explicit user approval for clicks, submissions, uploads, and account-affecting actions; prefer a separate browser profile and restrict allowed sites and file paths.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

SKILL.md

browser-cli skill run my-skill scripts/init.js            # Execute skill script

The documented CLI can execute scripts from AIPex skills, which goes beyond page interaction and gives the agent a path to run local skill code.

User impactIf invoked carelessly, the agent could run local or third-party skill scripts with effects outside the browser task.

RecommendationDo not allow autonomous use of script-running commands; require review of the target skill and script path before execution.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

browser-cli installed globally: npm install -g browser-cli

The skill is instruction-only and requires installing an external global npm package; this is expected for a CLI skill, but the package code is not present in the provided artifacts.

User impactYou are trusting an external npm package and browser extension to control Chrome.

RecommendationVerify the package publisher, repository, and extension source before installation, and avoid installing from untrusted mirrors.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

The daemon auto-spawns on first use and self-terminates when idle.

The background daemon behavior is disclosed and tied to the browser-control purpose, but users should notice that the tool starts a local service automatically.

User impactA local browser-control daemon may run during use and mediate access between terminal commands and the Chrome extension.

RecommendationCheck daemon status when finished and disconnect the extension or stop the service if you do not want browser control available.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

browser-cli ──WebSocket──▶ aipex-daemon ──WebSocket──▶ AIPex Chrome Extension ──▶ Browser APIs

The CLI acts through a connected Chrome extension and Browser APIs, but the artifact does not bound which browser profiles, sites, tabs, or signed-in web sessions the agent may control.

User impactThe agent may be able to act with the same web-session privileges as the connected browser profile.

RecommendationUse a dedicated Chrome profile for automation and require user confirmation before interacting with logged-in or sensitive sites.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

SKILL.md

browser-cli page screenshot-tab 123 --send-to-llm true   # Screenshot with LLM analysis

The skill documents sending a browser screenshot to an LLM, but the artifact does not define destination, redaction, retention, or approval boundaries for potentially sensitive page content.

User impactScreenshots may contain private emails, account pages, documents, or other sensitive browser content that could be shared with an LLM provider.

RecommendationRequire explicit approval before using LLM screenshot analysis and avoid it on sensitive pages unless data handling is understood.