ClawHub
Back to skill
v0.1.0

Agent Browser

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:04 AM.

Analysis

Review before installing: this is a powerful browser-control skill that can reuse logged-in browser sessions and persist session tokens.

GuidanceInstall only if you need full browser automation. Verify the external `agent-browser` package first, use a dedicated browser profile or test account, avoid importing your main browser cookies unless necessary, enable encryption for saved state, delete auth files after use, and supervise any authenticated or irreversible website actions.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
`allowed-tools: Bash(npx agent-browser:*), Bash(agent-browser:*)` and the description says it can fill forms, click buttons, login to a site, and automate any browser task.

This exposes a broad browser-control CLI to the agent, including actions that can change accounts or submit data on arbitrary websites. That is purpose-aligned, but it is not narrowly scoped or paired with explicit approval rules for high-impact actions.

User impactIf used on sensitive sites, the agent could click, submit, upload, or change data as the user unless the user supervises and limits the task.
RecommendationUse this only for browser tasks you explicitly intend, supervise authenticated or irreversible actions, and require confirmation before submitting forms, making purchases, deleting data, or posting content.
Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
SKILL.md
Install via `npm i -g agent-browser`, `brew install agent-browser`, or `cargo install agent-browser`. Run `agent-browser install` to download Chrome. Run `agent-browser upgrade` to update to the latest version.

The skill depends on an external executable and browser download/update path that is not pinned in the artifacts. Combined with unknown registry source/homepage, users must verify the CLI provenance before granting it browser/session access.

User impactInstalling or upgrading the wrong package could give untrusted code control over browser automation and access to saved or imported sessions.
RecommendationVerify the `agent-browser` package source before installing, pin trusted versions where possible, avoid automatic upgrades for sensitive workflows, and do not use `npx` with high-value sessions unless the package provenance is trusted.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
references/authentication.md
The fastest way to authenticate is to reuse cookies from a Chrome session you are already logged into ... `agent-browser --auto-connect state save ./my-auth.json` ... Any local process can connect and read cookies, execute JS, etc.

The skill documents importing authentication from a logged-in Chrome session via CDP. That gives the automation access to existing authenticated accounts and is not bounded to a specific site or account in the metadata.

User impactThe agent/CLI could act as you on websites where your browser is already logged in, potentially bypassing normal login, SSO, or MFA prompts.
RecommendationPrefer a dedicated browser profile or test account. Do not connect your everyday Chrome profile unless you intentionally want the agent to use those sessions, and close remote-debugging Chrome when finished.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityHighConfidenceHighStatusConcern
SKILL.md
`--session-name myapp` ... state auto-saved/restored; State files contain session tokens in plaintext -- add to `.gitignore` and delete when no longer needed.

The artifacts show persistent cookies/localStorage and state files that can contain plaintext session tokens. This creates reusable authentication state across runs and tasks.

User impactSaved state files could let future automation or anyone with file access reuse your web sessions; accidental commits or leftover files could expose accounts.
RecommendationSet `AGENT_BROWSER_ENCRYPTION_KEY` before saving sessions, add state files to `.gitignore`, delete them when done, and avoid long-lived sessions for sensitive accounts.