Agent Browser - 浏览器自动化
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a legitimate browser-automation skill, but it gives the agent broad website-control powers and depends on unreviewed external software with unclear provenance.
Before installing, verify the official agent-browser package/repository and pin a trusted version. Use a separate browser profile or test account where possible, avoid sensitive sites unless necessary, and require manual approval before uploads, submissions, purchases, account changes, or any irreversible web action.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on a logged-in or sensitive site, the agent could click buttons, submit forms, change account data, or upload files if it misunderstands a task or follows malicious page content.
The allowed tool pattern exposes every agent-browser command, and the documented commands include website mutations and file upload. The artifacts do not describe confirmation, site scoping, or action limits for sensitive operations.
allowed-tools: Bash(agent-browser:*) ... agent-browser click @e1 ... agent-browser fill @e2 "text" ... agent-browser upload @e1 file.pdf
Use this only on intended sites, prefer test accounts or an isolated browser profile, and require explicit user confirmation before submissions, uploads, purchases, account changes, or other irreversible actions.
A user may install and run a different or unexpected version of the browser automation tool, including code outside the reviewed skill artifacts.
The reviewed skill contains no runnable CLI code and instructs users to install an unpinned global external package/source. The registry lists source/homepage as unknown, and README.md separately references a different repository, creating provenance ambiguity.
npm install -g agent-browser agent-browser install agent-browser install --with-deps ... git clone https://github.com/vercel-labs/agent-browser
Verify the official npm package and repository before installing, pin a known-good version, prefer a trusted source link in metadata, and consider running the tool in a sandboxed environment.
The agent may be able to act with the permissions of the active browser session or supplied HTTP credentials.
The skill can work with authentication material and browser session state. This is purpose-aligned for browser automation, but it is sensitive authority.
agent-browser set credentials user pass # HTTP basic auth ... Recording creates a fresh context but preserves cookies/storage from your session.
Avoid using this on highly sensitive accounts unless necessary, use separate profiles or test accounts, and clear cookies/storage after sensitive tasks.
Private session data or site-controlled state may carry into later browsing, recordings, screenshots, or automated interactions.
Browser cookies and storage can persist into later contexts. This is disclosed and useful for automation, but persistent page state can expose private information or influence later actions.
Recording creates a fresh context but preserves cookies/storage from your session.
Use isolated browser state for sensitive work, clear storage between unrelated tasks, and review generated screenshots, PDFs, and recordings before sharing.
Running JavaScript on a logged-in page can read or modify page content within that browser context.
The tool documents JavaScript execution in a browser page context. This is expected for testing and browser automation, but users should treat evaluated scripts as powerful on the loaded page.
agent-browser eval --url https://example.com "document.title"
Only evaluate scripts you understand, especially on authenticated or sensitive websites.