ClawHub

Browser Use Local

v1.0.0

Automate browser actions locally via browser-use CLI/Python: open pages, click/type, screenshot, extract HTML/links, debug sessions, and capture login QR codes.

0· 1.5k·6 current·7 all-time
by@fengjiajie
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md and included scripts are coherent with a 'browser-use local' helper: CLI examples, screenshot/HTML extraction, QR crop helper, and a small agent runner. The skill lacks a one-line description in the registry metadata, but the code and docs align with the claimed functionality.
!
Instruction Scope
The runtime instructions and run_agent_kimi.py require an OPENAI_API_KEY and OPENAI_BASE_URL and will call an external LLM (Moonshot/Kimi). That implies page HTML and/or screenshots may be transmitted to that remote endpoint during agent runs — a privacy/data-exfiltration risk for sensitive pages (logins, consoles, QR codes). The SKILL.md does not explicitly warn the user that page content will be sent to the LLM provider.
Install Mechanism
There is no install spec (instruction-only), which is low risk in that nothing is fetched automatically. However the Python scripts import packages (Pillow, python-dotenv, browser_use, etc.) and the README expects a virtualenv path to exist. Required dependencies are not declared in registry metadata, so a user may need to install additional packages manually.
!
Credentials
The registry metadata lists no required environment variables, but the SKILL.md and run_agent_kimi.py explicitly require OPENAI_API_KEY and OPENAI_BASE_URL (and optionally OPENAI_MODEL, etc.). Requesting an LLM API key/base URL is proportionate to running the bundled agent, but the omission from metadata is an inconsistency and a practical risk: secrets must be provided and will be used to contact an external service.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It uses the platform default (agent invocation allowed), which is expected for agent-capable skills.
What to consider before installing
This skill appears to implement local browser automation helpers and small Python utilities; the code is short and readable. Before installing or running it, consider: - Sensitivity: Running the bundled agent (run_agent_kimi.py) requires OPENAI_API_KEY and OPENAI_BASE_URL and will contact the specified LLM provider. Page HTML and screenshots could be sent to that remote endpoint — do not run the agent on pages containing secrets (password fields, private dashboards) unless you trust the provider and its data-handling policy. - Metadata mismatch: The registry lists no required env vars or dependencies, but the SKILL.md and code do require LLM credentials and Python packages (Pillow, python-dotenv, browser_use, etc.). Expect to create/activate a venv and install dependencies manually. - Minimal audit: The included scripts (image crop, base64 extraction, small agent runner) are small and understandable. If you plan to use it, run the non-agent CLI workflows first (they don't require an LLM key) and inspect/execute the Python scripts in an isolated environment. - Hardening suggestions: Only provide OPENAI_API_KEY/OPENAI_BASE_URL to this skill if you trust the endpoint; consider using an account with limited privileges, or run the agent in an isolated VM/container. Ask the publisher to update registry metadata to declare required env vars and dependencies so you can make an informed decision.

Like a lobster shell, security has layers — review code before you run it.

latestvk976w3spjx8qf0zzds9t7kfncd80jqme

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments