PageAgent Browser Enhancement
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent browser automation helper, but it can run arbitrary code inside web pages and may act through a non-isolated Chrome profile, so it needs careful review before use.
Prefer the isolated OpenClaw browser profile, use this mainly on local development or trusted test pages, and avoid sensitive accounts unless you explicitly want the agent to operate there. Review or disable the arbitrary JavaScript execution path before using it on important websites.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked on a sensitive page, the agent could run arbitrary page-context code, read or alter page state, or trigger actions in ways that bypass normal browser interaction safeguards.
The bundled controller evaluates caller-supplied script text. Combined with the exposed PageAgent API, this allows arbitrary JavaScript execution inside the target page, beyond the safer indexed click/input/scroll actions described in the main workflow.
const asyncFunction = eval(`(async () => { ${script} })`);Disable or remove the arbitrary execJS/executeJavascript path, or require explicit user approval and restrict it to isolated test pages or trusted local development sites.
The agent could click buttons, type into forms, or submit changes on pages where those actions affect accounts, purchases, admin consoles, or production systems.
The skill intentionally grants broad browser-operation authority across arbitrary pages. That is purpose-aligned, but the artifacts do not provide scoping, confirmation, or rollback guidance for high-impact web actions.
Injects into any web page ... clicking, typing, scrolling, form filling, or reading page structure.
Use the skill only for pages you explicitly want automated, prefer local/test targets, and require user confirmation before submitting forms or performing irreversible account or business actions.
If used in a regular Chrome context, actions may be performed as the signed-in user on websites that already trust that browser session.
The documentation allows operation through a Chrome profile rather than only an isolated browser. In practice, that may place the automation in a context with existing user sessions or account access.
Use `profile="openclaw"` for the isolated browser, or `profile="chrome"` for the Chrome extension relay
Default to the isolated `openclaw` profile. Use `profile="chrome"` only when necessary and after confirming which account/session the browser is using.
Text from the current web page may be shown to and reasoned over by the agent, including sensitive page content or prompt-like instructions embedded by the site.
The skill extracts page URL, title, and readable DOM content into the agent context. This is expected for DOM automation, but page contents can include private data or untrusted text.
return { url: state.url, title: state.title, header: state.header, content: state.content, footer: state.footer };Avoid using DOM extraction on pages containing secrets or private account data unless you are comfortable with the agent processing that content.
Users have less provenance information for confirming that the bundled controller matches the claimed upstream library and version.
The registry metadata does not provide a source or homepage for verifying the packaged skill, even though it ships a large vendored browser-controller library.
Source: unknown; Homepage: none
Verify the bundled files against the claimed upstream `@page-agent/page-controller@1.5.6` source before trusting it in sensitive browsing contexts.