Steel Browser
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real Steel.dev cloud-browser automation skill, but it needs review because unsafe script argument handling can execute local code and the proxy/CAPTCHA automation is high-risk.
Install only if you trust the Steel.dev provider and need cloud browser automation. Supervise browser actions, avoid sensitive accounts, do not use proxy/CAPTCHA features on sites where you lack permission, and ask the maintainer to fix the unsafe argument handling before allowing untrusted page content to drive the scripts.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious page or task could cause the agent to pass a crafted browser-action argument that runs code on the user's machine, potentially reading files or environment secrets such as the Steel API key.
The script expands a tool argument directly into a Python heredoc as source code instead of passing it as data. The same style appears in multiple wrappers, so crafted selectors, text, URLs, or JS strings could break out of the string and run local Python.
SELECTOR="${1:?Usage: click.sh SELECTOR}" ... page.click("""$SELECTOR""")Rewrite wrappers to pass arguments via sys.argv, stdin, JSON, or environment variables with proper escaping; quote heredocs; and do not let untrusted web content choose raw tool arguments until this is fixed.
Using these features on third-party sites could violate site rules, trigger account bans, or enable abusive scraping or automated form activity.
The skill explicitly advertises proxy and CAPTCHA-solving features for difficult sites, which can be used to bypass anti-automation controls and is not limited to authorized testing or owned domains.
Supports residential proxies and CAPTCHA solving. ... Start session (add --proxy --captcha for tough sites)
Use proxy and CAPTCHA options only for authorized automation, add domain/task allowlists where possible, and require explicit user confirmation before enabling them.
A webpage could influence the agent to click, type, or navigate in ways the user did not intend.
The example loop feeds page text and screenshots into an LLM that decides browser actions. This is expected for browser agents, but web pages can contain adversarial instructions that try to redirect the agent.
CONTENT=$($SCRIPTS/get_content.sh) ... ACTION=$(echo "$CONTENT" | llm_decide /tmp/screen.png) ... click) ... type) ... navigate)
Treat webpage content as untrusted data, keep the user's original goal separate, and require confirmation for logins, payments, postings, submissions, downloads, or other high-impact actions.
Anyone who obtains the key may be able to use the user's Steel account resources or browser sessions.
The skill requires and uses a Steel API key to create and control browser sessions, even though the registry metadata does not declare required credentials. This is expected for the provider integration but should be clearly declared and protected.
api_key = os.environ.get("STEEL_API_KEY") ... f"wss://connect.steel.dev?apiKey={api_key}&sessionId={session_id}"Store the key securely, avoid logging it, revoke it if exposed, and update metadata to declare STEEL_API_KEY as a required credential.
Future package changes or a compromised dependency could affect what code runs locally.
Setup relies on unpinned third-party packages installed outside an install spec. This is common for SDK-based skills but leaves package versions and provenance less controlled.
pip install steel-sdk playwright
Pin package versions, provide a lockfile or install spec, and install from trusted package sources.
Sensitive browsing or form entries could be exposed to the cloud browser provider or anyone with access to session viewing links.
Browser control occurs through Steel.dev's cloud browser connection. This is central to the skill, but it means browsing activity, screenshots, and form data may pass through a third-party provider.
browser = _pw.chromium.connect_over_cdp(f"wss://connect.steel.dev?apiKey={api_key}&sessionId={session_id}")Avoid using the skill for highly sensitive accounts unless the provider's privacy and security terms are acceptable, and protect viewer URLs.
A forgotten session may continue consuming provider resources or exposing an active browser session longer than intended.
The skill intentionally persists the active session ID and keeps remote sessions alive until released or timed out. This is disclosed and scoped to Steel session management.
start_session.sh saves session ID to ~/.steel_state ... Sessions persist until release_session.sh or timeout
Run release_session.sh when finished, use short timeouts, and protect the ~/.steel_state file.