browser
ReviewAudited by ClawScan on May 18, 2026.
Overview
This is a plausible browser automation skill, but its setup can run unreviewed external code, persist itself into agent skill directories, and expose stored configuration values.
Before installing, confirm the exact bsession source repository and commit, use a VNC password, and inspect what will be written under ~/.bsession, ~/.openclaw, and ~/.claude. Avoid storing secrets in conf files unless the skill masks them, and review any recurring browser automation before enabling it.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running setup may execute browser automation code and Docker build contents that were not reviewed with this skill package.
The installer requires core runtime files that are not present in the reviewed manifest, and it can clone then build/run an unpinned external source tree.
REQUIRED_FILES="Dockerfile docker-compose.yml session.py entrypoint.sh bsession lib/browser.py" ... git clone "$REPO_URL" "$BSESSION_HOME" ... docker compose build
Pin the repository to a trusted commit or bundle the required source files for review, and clearly show the exact source before building or starting the container.
A setup run can modify future agent behavior in both OpenClaw and Claude Code without a clearly separated opt-in or uninstall path.
The setup script installs or updates persistent skill files in multiple agent environments, not just the current OpenClaw skill directory.
CLAUDE_SKILL_DIR="$HOME/.claude/skills/browser" ... OPENCLAW_SKILL_DIR="$HOME/.openclaw/workspace/skills/browser" ... cp "$SCRIPT_DIR/install.sh" "$OPENCLAW_SCRIPT_DIR/install.sh"
Ask before installing into other agent platforms, document every persistent file written, and provide a scoped uninstall command.
Secrets stored for browser automations could be pulled into the agent conversation or displayed unnecessarily.
Saved env configuration for automations can include webhook URLs, API tokens, account identifiers, or other secrets, and the instruction says to show the current configuration without masking.
For each `.conf` file in `~/.bsession/workspace/conf/`, read the `[env]` section to show current configuration.
Mask secret-looking values by default, only reveal specific config keys on user request, and document where automation credentials are stored.
If the VNC service is exposed, another local or network user could potentially view or control the browser session.
The installer explicitly permits a browser/VNC setup with no password; whether this is externally reachable depends on the unprovided Docker configuration.
--vnc-password <pw> Set a VNC password (default: none) ... info "No VNC password set (open access)."
Set a VNC password during setup and verify Docker only exposes browser/VNC ports to trusted interfaces.
A saved or recurring automation could submit forms, change account state, or repeatedly contact websites if configured that way.
The skill is designed to drive web pages, including filling fields, clicking controls, and creating recurring automations; this is expected for browser automation but can affect real websites or accounts.
docker exec agent-browser agent-browser --cdp PORT fill REF "value" ... click REF ... create scripted automations (one-shot or recurring)
Review target domains, actions, schedules, and outputs before running or saving automations, especially for logged-in sites.