Agent Browser
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a powerful browser-automation skill that is mostly disclosed, but it can reuse logged-in browser sessions and encourages proxy rotation for scraping, so it needs careful review before use.
Install only if you need powerful browser automation and are comfortable supervising it. Use a dedicated profile or test account, avoid importing your normal logged-in browser, encrypt/delete auth state files, verify the external CLI package source, and do not use the proxy-rotation scraping patterns to bypass site limits or bans.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this workflow could act as you on websites where your browser is logged in, and the saved state file could expose account sessions if mishandled.
The skill explicitly supports importing authentication from the user's running Chrome session and saving session cookies/localStorage to a local file, which can grant access to logged-in accounts.
agent-browser --auto-connect state save ./my-auth.json ... save its cookies + localStorage ... State files contain session tokens in plaintext.
Use a dedicated browser profile or test account when possible, avoid importing your main browser session, encrypt or delete state files, and approve any authenticated action explicitly.
Using these patterns could violate website rules, trigger account blocking, or cause the agent to perform abusive scraping behavior.
The proxy documentation does not just describe corporate or testing proxy use; it explicitly encourages rotating proxies to avoid rate limits and bans while scraping.
Proxy configuration for geo-testing, rate limiting avoidance... Rotating Proxies for Scraping ... Rotate through proxy list to avoid rate limiting ... avoid bans
Use proxies only for legitimate testing or approved network routing, respect robots.txt/site terms and rate limits, and avoid automated scraping meant to bypass restrictions.
JavaScript execution can read or change page content in the active browser context, including authenticated pages.
The CLI can execute arbitrary JavaScript in the controlled browser page. This is a normal browser automation/debugging capability, but it is powerful.
agent-browser eval "document.title" ... agent-browser eval -b "<base64>" # Any JavaScript ... agent-browser eval --stdin
Only run page scripts you understand and keep this capability scoped to the site and task the user requested.
Browser sessions may remain open with cookies, tabs, or other state unless closed or cleaned up.
The browser process is intentionally kept alive between CLI commands. This is disclosed and useful for automation, but users should know it may outlive one command.
The browser persists between commands via a background daemon
Close sessions when finished and avoid leaving authenticated browser automation sessions running unattended.
Saved browser state may carry sensitive account data or stale/poisoned site state into future automation runs.
The skill persists browser state across tasks. That is expected for authenticated automation, but the stored state can include sensitive data and can be reused later.
Save cookies, storage, and auth state ... State File Contents ... "cookies" ... "localStorage" ... "sessionStorage"
Use separate named sessions per site/task, encrypt state where supported, keep state files out of source control, and delete them when no longer needed.
Users must trust the external agent-browser package source and whatever version their package manager or npx resolves.
The skill relies on an external CLI but the registry metadata does not provide source/homepage provenance or a pinned install specification.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Verify the package publisher/source before installing, prefer pinned versions, and avoid running npx for sensitive authenticated sessions unless provenance is clear.