Agent Browser Core
ReviewAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is coherent for web automation and includes strong safety guidance, but it relies on a high-privilege browser automation CLI that can handle sessions, credentials, local/browser state, and potentially risky commands.
Before installing or using this skill, verify and pin the external agent-browser package, run it in a dedicated non-privileged environment, allowlist target domains, block localhost/private network access, and require explicit human approval before using eval, file access, proxies, traffic interception, downloads, persistent profiles, or saved login state.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on important websites, the agent could click buttons, fill forms, download files, or affect account state.
The skill documents browser actions that can interact with websites and also lists higher-risk tool capabilities, while labeling the risky ones as requiring explicit approval.
Safe defaults (typical) - `open`, `click`, `dblclick`, `fill`, `type` ... Sensitive / explicit approval - `eval` ... `download <selector> <path>` ... `network route`
Use clear task-specific instructions, approve high-impact actions manually, and keep domain allowlists and read-only defaults in place.
Saved sessions could let future automation act as the logged-in user on websites.
The skill contemplates reuse of authenticated browser state, which is expected for browser automation but gives the agent delegated access to logged-in accounts.
Log in once and `state save`. Reuse with `state load` in later runs. Treat state files as secrets and rotate when needed.
Use separate low-privilege accounts where possible, save session state only when necessary, rotate or delete state files after use, and require approval for account-changing actions.
Installing the external CLI and browser runtime extends trust to packages outside this skill.
The skill is instruction-only but directs users to install external tooling and browser dependencies; the documentation appropriately recommends pinning and dedicated environments.
Pin the version you trust: `npm install -g agent-browser@<version>` ... Install browser runtime: `agent-browser install` ... `npx playwright install-deps chromium`
Install only a reviewed, pinned version from a trusted source, avoid elevated privileges, and review upgrades before using them.
Approved use of these options could run code in browser contexts or change the browser runtime behavior.
The underlying CLI can execute page JavaScript or control custom browser runtimes, but the skill explicitly classifies these as high-risk and says they require approval.
High-risk capabilities - `eval` (arbitrary JavaScript) - `--executable-path`, `--args`, `--cdp` (custom runtime control)
Do not allow eval, custom executable paths, CDP access, or arbitrary browser arguments unless there is a specific, reviewed need.
Persistent browser state may retain login tokens or carry site state from one task into another.
Saved browser state can persist cookies, storage, and site context across runs; the artifact warns that these files are sensitive.
`state save`, `state load` (treat state files as sensitive)
Prefer ephemeral sessions, keep saved state scoped to a specific site and task, redact tokens from logs, and delete saved state when it is no longer needed.
Browser sessions or daemon processes could remain active longer than intended if not closed.
A background browser-control daemon is disclosed and purpose-aligned, but users should be aware that automation resources may persist until sessions are closed.
Uses a background daemon and Playwright for browser control.
Close tabs and sessions after each task, prefer ephemeral sessions, and run the tool in a dedicated environment.