tekin
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate browser-automation wrapper, but it depends on an external npm CLI and can let an agent operate websites and handle session data.
Install this only if you trust the external agent-browser package. When using it, supervise actions on logged-in sites, use test accounts when practical, avoid unnecessary credential or file exposure, and clear browser session data after sensitive tasks.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill requires trusting the external agent-browser package and whatever dependencies its installer retrieves.
The skill relies on installing an external, unpinned global npm package and running its installer. That is normal for this wrapper, but the package code is not included in the artifact set.
npm install -g agent-browser agent-browser install agent-browser install --with-deps
Install only from the verified upstream package, consider pinning a known-good version, and review the package source or provenance before using it in sensitive environments.
If used on authenticated or sensitive websites, the agent could click buttons, fill forms, or upload selected files according to its task.
The documented commands allow the agent to interact with websites and upload files. This is central to browser automation, but it can have real effects on third-party sites.
agent-browser click @e1 agent-browser fill @e2 "text" agent-browser upload @e1 file.pdf
Use this on trusted sites, prefer test accounts where possible, and require explicit confirmation before submissions, purchases, public posts, account changes, or file uploads.
The agent may be able to use or display session-related data for sites opened in the automated browser.
The skill documents commands for supplying HTTP Basic Auth credentials and reading browser cookies/localStorage in the automation context. This is expected for browser testing/automation but can involve account session data.
agent-browser set credentials user pass # HTTP basic auth agent-browser cookies # Get all cookies agent-browser storage local # Get all localStorage
Avoid using real credentials unless necessary, do not run it against highly sensitive accounts, and clear cookies/storage after tasks that involve login sessions.