browser-automation-skills
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a real browser automation skill, but it can control your existing logged-in Chrome session and perform clicks, typing, scraping, and form submissions with limited built-in boundaries.
Install only if you are comfortable giving an agent control over a Chrome session. For safer use, run it in a separate Chrome profile with no sensitive accounts logged in, keep remote debugging local, watch the browser while it acts, and require confirmation before any login, form submission, purchase, post, deletion, or account-changing action.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to view or act inside websites where you are already logged in, including private dashboards, email, admin panels, or other account pages.
The script connects to an existing Chrome debugging endpoint and reuses an existing browser context/page, which can include the user's active authenticated sessions rather than an isolated automation profile.
CDP_ENDPOINT = os.environ.get("BROWSER_CDP_ENDPOINT", "http://localhost:9222") ... browser = await p.chromium.connect_over_cdp(CDP_ENDPOINT) ... context = contexts[0] ... page = pages[-1]Use a separate Chrome profile or temporary browser instance for automation, sign out of sensitive sites, keep CDP bound to localhost, and avoid using this skill on accounts where unintended clicks or reads would be harmful.
A mistaken or over-broad agent action could submit forms, log in, click account controls, or otherwise change data on a website using your browser session.
The skill explicitly enables broad interactive browser actions, including login and form submission, without artifact-backed approval checkpoints for high-impact or irreversible actions.
Use when the user wants to click something, fill in a form, type into an input, press a button, submit a form, ... log in to a website
Require explicit user confirmation before login, submission, posting, purchases, destructive actions, or any action on authenticated accounts; prefer read-only use unless the user clearly asks for a specific change.
Automation may be less visibly distinguishable from normal browsing to the user or to websites.
The documentation openly states that automation attaches to existing Chrome without the usual automation banner; this is disclosed, but users should not interpret the lack of a banner as lower risk or as permission to automate sites that prohibit it.
🚫 **No detection banner** — connects to existing Chrome via CDP
Use only where browser automation is appropriate and permitted, and keep visual oversight of the browser while actions run.
It may be harder to independently verify the publisher, update history, or full provenance of the browser-control code.
The registry metadata does not provide a source repository or homepage for a skill that controls the local browser; this is a provenance gap rather than evidence of malicious behavior.
Source: unknown Homepage: none
Review the included files locally before installation and prefer installing browser-control skills from publishers or repositories you trust.
Browser screenshots, recordings, or task details may be processed through a subagent workflow during automation.
The Antigravity backend delegates browser work to a subagent and may involve recordings or media paths; this is purpose-aligned but can include screenshots or page content from sensitive browsing sessions.
You do NOT call browser tools directly. You call `browser_subagent` ... `RecordingName` ... `MediaPaths`
Avoid running the skill on sensitive pages unless necessary, and review screenshots/recordings before sharing or saving them.