Browserbase Persist with captcha
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its browser-automation purpose, but it can bypass CAPTCHAs, keep logged-in sessions/cookies in cloud browsers, and record authenticated browsing by default.
Install only if you trust both this skill and Browserbase for sensitive browsing. Use it only on sites where automation is authorized, consider disabling CAPTCHA solving and recording unless needed, use separate low-privilege accounts and contexts, and always terminate sessions and delete contexts when finished.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could automate access to pages that are deliberately protected from bots, which may violate site rules, trigger account enforcement, or be misused for unauthorized scraping.
The skill makes automated CAPTCHA solving the default path for protected pages, which can bypass anti-bot or manual-verification controls on third-party sites.
**Solve CAPTCHAs automatically** — login flows and protected pages work without manual intervention (enabled by default)
Use only on sites and accounts where you have clear authorization. Prefer disabling CAPTCHA solving by default with `--no-solve-captchas` and require explicit user approval before enabling it.
If a user logs in during a Browserbase session, the agent may be able to act with that account’s privileges and expose session cookies or authenticated content.
The skill can operate inside browser sessions and read cookies, which may include logged-in account session data.
**Automate browsing** — navigate, execute JavaScript, extract page content, read cookies
Use dedicated low-privilege accounts when possible, avoid sensitive accounts, and require explicit confirmation before reading cookies, executing JavaScript, or browsing authenticated pages.
Cookies and local storage from logged-in sites may remain available across future sessions and tasks, increasing the impact if the context is reused incorrectly or compromised.
Authentication state is designed to persist in Browserbase contexts indefinitely unless the user deletes it.
**Contexts never expire** on Browserbase's side - **persist: true** saves cookies/storage changes back to context on close
Create separate contexts per site or task, delete contexts when finished, and avoid persisting highly sensitive sessions unless necessary.
A session may remain logged in and consume Browserbase resources until it is explicitly terminated.
Keep-alive behavior is disclosed and bounded, but it means a cloud browser can continue running after the user disconnects.
**Keep-alive for research.** Set `--keep-alive` for long research sessions. The browser survives network disconnections and persists until explicitly terminated — up to 6 hours.
Use keep-alive only when needed, track active sessions, and run `terminate-session` after each task.
Dependency behavior could change over time when installing in a fresh environment.
The setup depends on packages using lower-bound version ranges rather than exact pinned versions, so future installs may pull newer code.
browserbase>=1.0.0 playwright>=1.40.0
Install in an isolated virtual environment and pin or review dependency versions before using the skill for sensitive authenticated browsing.