Agent Browser
WarnAudited by ClawScan on May 10, 2026.
Overview
Agent Browser has a legitimate browser-automation purpose, but it can reuse logged-in browser sessions and relies on an external browser-control CLI that needs careful review before use.
Install only if you are comfortable giving an external CLI broad browser-control authority. Use an isolated Chrome profile or test account, avoid importing your primary browser session, verify/pin the CLI package, require confirmation before submitting forms or acting on logged-in sites, and clean up saved session files after use.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent, the external CLI, or any process with access to the saved state or debugging port could act as the user on logged-in websites.
The skill documents importing an already logged-in Chrome session and saving cookies/localStorage/session tokens; the documented flow is high-impact and is not clearly limited to one site or one token.
agent-browser --auto-connect state save ./my-auth.json ... save its cookies + localStorage ... `--remote-debugging-port` exposes full browser control on localhost. Any local process can connect and read cookies, execute JS, etc. ... State files contain session tokens in plaintext.
Use a dedicated browser profile or test account, avoid auto-connecting to your primary browser, close remote-debugging Chrome when done, encrypt/delete state files, and require explicit approval before authenticated actions.
A changed or untrusted external package could receive powerful browser-control and session-access authority.
The skill allows running or installing an external CLI without a pinned version in the artifact, and the reviewed files contain documentation/templates rather than the CLI implementation that will control the browser.
allowed-tools: Bash(npx agent-browser:*), Bash(agent-browser:*) ... Install via `npm i -g agent-browser`, `brew install agent-browser`, or `cargo install agent-browser`. Run `agent-browser install` to download Chrome.
Verify the package source and maintainer, pin a reviewed version where possible, install it manually in an isolated environment, and avoid using it with important accounts until provenance is clear.
Using these workflows against third-party sites could violate site rules, trigger account/IP blocks, or create legal and operational risk.
The proxy guidance explicitly includes rate-limit and ban avoidance for scraping, which can enable misuse beyond ordinary testing or corporate proxy configuration.
Proxy configuration for geo-testing, rate limiting avoidance ... ### Rotating Proxies for Scraping ... Rotate through proxy list to avoid rate limiting ... Distribute load and avoid bans
Use proxy features only for authorized testing, respect site terms and rate limits, and avoid automating scraping that bypasses access controls or abuse protections.
Saved state files may let future runs access accounts without another login, and anyone who obtains those files may be able to reuse the session.
The skill creates durable browser state that can be reused across tasks; this is purpose-aligned but can retain sensitive authentication material unless encrypted and cleaned up.
Use `--session-name` to auto-save and restore cookies + localStorage by name ... state saved to ~/.agent-browser/sessions/ ... State files contain session tokens in plaintext.
Set an encryption key for saved state, store state files outside shared repositories, add them to .gitignore, and delete them when the automation is finished.
JavaScript run in a page can read or change page state, cookies/localStorage accessible to the page, and form contents.
Arbitrary JavaScript execution is documented and can be useful for browser automation, but it is a powerful page-context execution capability.
agent-browser eval -b "<base64>" # Any JavaScript (base64 encoded) agent-browser eval --stdin # Read script from stdin
Prefer normal click/fill/get commands, and only run JavaScript that the user requested or reviewed.
A browser session may remain active or authenticated longer than the user expects.
The background daemon is disclosed and purpose-aligned, but it means browser state can live beyond a single command.
The browser persists between commands via a background daemon, so chaining is safe and more efficient than separate calls.
Close sessions when finished and avoid leaving authenticated automation sessions running unattended.