Skillv2.5.0

ClawScan security

browserbase-sessions · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 14, 2026, 6:45 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (manage Browserbase sessions) but includes extra automation code, a mismatch in declared vs. required environment variables, and features (recording, captcha solving, downloads) that raise privacy/privilege concerns you should review before installing.
Guidance: What to consider before installing and enabling this skill: - Credentials: You will need to provide BROWSERBASE_API_KEY and BROWSERBASE_PROJECT_ID. The skill metadata only lists the API key, but the code requires the Project ID too — expect the agent to ask for both. The Node utility may optionally use OPENAI_API_KEY or other model/service keys if you run it. - Local state and privacy: The skill stores contexts, workspaces, and handoff files in a directory under your home (default: ~/.browserbase). It also enables session recording, logging, and captcha solving by default. Session recordings, logs, cookies, localStorage and any downloaded files can contain sensitive data — review and disable recording/logging/captcha solving if you need stricter privacy. - Install side-effects: Installation uses pip and Playwright. Playwright will download Chromium (large binary) and the Python packages from PyPI; the Node script depends on npm packages. Review requirements.txt and package.json if you prefer to vet packages before installation. - Expanded scope: The included Node script (dedication_automation.mjs) automates third-party sites via a Browserbase session and may invoke LLM services. If you won't use that functionality, consider removing or isolating that file or running the skill in a sandboxed environment. - Trust and least privilege: Only supply a Browserbase API key you trust to the agent and consider using a dedicated project / limited-permission key if Browserbase supports scoped keys. If you must provide other service keys (OpenAI, custom GPT endpoints), prefer ephemeral or scoped credentials. - Code review: If you are not comfortable installing immediately, review the provided scripts (browserbase_manager.py and dedication_automation.mjs) yourself or have someone audit them. Pay attention to any network calls (they target api.browserbase.com, which aligns with the skill) and file-write locations. - Operational practice: Run the install/setup in a controlled environment (virtualenv/venv or container) so Playwright and dependencies don't affect global Python environment. Disable recording/logging by default unless you need it. If you want, I can: - highlight the exact lines where environment variables are read and where recording/captcha/remote links are enabled, - extract the list of third-party packages the skill will install, - or show the filesystem paths the skill will write to so you can pre-create or sandbox them.

Review Dimensions

Purpose & Capability: noteThe skill's name and description match the included Python CLI and SKILL.md: it manages Browserbase sessions, contexts, workspaces, and human handoffs. However, the package also bundles a Node script (dedication_automation.mjs) that automates external services (ChatGPT/Suno Hitmaker) using a Browserbase session — that expands functionality beyond pure session management. The extra automation is plausibly useful but broadens the skill's scope and credential needs.
Instruction Scope: noteSKILL.md instructs the agent to request BROWSERBASE_API_KEY and BROWSERBASE_PROJECT_ID, install Python deps and Playwright, create sessions, share live remote-control links, run human handoffs, and fetch recordings/download archives. Those instructions are coherent for a Browserbase integration. They do, however, direct actions that can capture or transmit sensitive content (session recordings, downloaded files, cookies/localStorage) and to automatically solve CAPTCHAs — all expected for this functionality but privacy-sensitive. The instructions do not appear to ask the agent to read unrelated system files or exfiltrate secrets to unknown endpoints.
Install Mechanism: okThere is no remote arbitrary binary download in the skill bundle; installation is handled via pip (requirements.txt) and Playwright (which downloads browser binaries) and Node dependencies listed in package.json/pnpm-lock. These are standard registries (PyPI/npm packages, Playwright's browser downloads). No suspicious shorteners or personal servers are used in the provided files. Installing Playwright will download large browser binaries — expected but notable.
Credentials: concernMetadata declares a primaryEnv (BROWSERBASE_API_KEY) but registry 'required env vars' is empty; in reality the code and SKILL.md require both BROWSERBASE_API_KEY and BROWSERBASE_PROJECT_ID (get_env is called for both). The Node automation script optionally references OPENAI_API_KEY / STAGEHAND_MODEL_API_KEY and CHATGPT_HITMAKER_URL — additional credentials that expand the blast radius. This mismatch between declared and actually-required env vars is a meaningful inconsistency that could lead to surprise credential prompts or misuse.
Persistence & Privilege: okalways:false and the skill does not request system-wide privileges. The CLI writes local state under a dedicated directory (~/.browserbase by default) for contexts, workspaces, and handoffs — expected behavior for persisting session/workspace metadata. It does not modify other skills' configs. Because autonomous invocation is allowed by default, be aware that the agent could autonomously create/start sessions if enabled; that is platform-normal but increases potential impact if you supply credentials.