v1.0.0

Browser Stagehand

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:39 AM.

Analysis

Review before installing: this is a plausible browser automation skill, but it asks for an unreviewed npm/global CLI setup, uses browser/API credentials, preserves session state, and may route browsing through remote providers automatically.

GuidanceOnly install this after inspecting the complete CLI package source and package metadata. Use a disposable browser profile, avoid private or high-value accounts unless you supervise each step, confirm whether Browserbase remote mode is active, and clean up screenshots, downloads, cache, and `.chrome-profile/` after sensitive sessions.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Check `setup.json` in this directory. If `setupComplete: false`:

```bash
npm install    # Install dependencies
npm link       # Create global 'browser' command
```

The skill asks the agent/user to install dependencies and globally link a CLI, but the provided package is described as instruction-only with no install spec or code files, leaving the executable implementation and npm behavior unreviewed.

User impactInstalling or linking an unreviewed CLI could run unexpected package scripts or create a global command whose behavior is not represented by the submitted artifacts.

RecommendationDo not run npm install/npm link from this skill unless you can inspect the full package source, package.json, lockfile, and publisher provenance.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

REFERENCE.md

Note: Without specificity it might succeed on the wrong element!

The tool intentionally uses natural-language instructions to perform browser actions, and the reference itself warns that ambiguous commands may interact with the wrong page element.

User impactAn imprecise command could click, type, or submit something different from what the user intended.

RecommendationUse specific action descriptions, inspect screenshots/observations before submitting forms or changing account data, and ask for confirmation before irreversible website actions.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

EXAMPLES.md

**Note**: This example uses Chrome's user profile (`.chrome-profile/`) which may preserve session cookies between runs.

The skill can preserve authenticated website sessions across runs; this is high-impact account/session state and the artifacts do not provide clear retention, cleanup, or per-site scoping controls.

User impactA future browser automation task may reuse logged-in website sessions, which could let the agent act inside accounts without re-authentication.

RecommendationUse a dedicated disposable browser profile, log out after sensitive tasks, and delete `.chrome-profile/` when session reuse is not intended.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

SKILL.md

- **If Browserbase API keys exist** (BROWSERBASE_API_KEY and BROWSERBASE_PROJECT_ID in .env file): Uses remote Browserbase environment
- **No user prompting**: The selection happens automatically based on available configuration

Browsing may be moved to a remote Browserbase environment automatically when keys are present, which can change where page content, actions, and possibly entered credentials are processed.

User impactSensitive browsing activity could occur in a remote provider environment without a fresh prompt at the time of use.

RecommendationBefore using the skill on private or authenticated sites, confirm whether local or Browserbase mode will be used and remove Browserbase keys from the environment when remote browsing is not desired.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

REFERENCE.md

- **Screenshots**: `./agent/browser_screenshots/` - Screenshot output directory
- **Downloads**: `./agent/downloads/` - File download directory
...
- `enableCaching: true`: Caches page analysis for better performance

The skill stores screenshots, downloads, and cached page analysis as part of normal operation, which can retain private page contents after the task finishes.

User impactScreenshots, downloaded files, or cached page information from sensitive sites may remain on disk.

RecommendationPeriodically clear `./agent/browser_screenshots/`, `./agent/downloads/`, and any cache/profile directories after sensitive browsing.