ClawHub
Back to skill
v1.0.0

Agent Browser Jau771

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:09 AM.

Analysis

This is a coherent browser-automation skill, but it gives an agent broad website-control and session/cookie access through an external CLI, so it warrants careful review before installation.

GuidanceInstall this only if you need agent-driven browser automation. Verify and preferably pin the external agent-browser package, use a separate browser profile or test account, avoid sensitive logged-in sessions, and require confirmation before any form submission, purchase, account change, destructive click, or file upload.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
allowed-tools: Bash(agent-browser:*) ... agent-browser click @e1 ... agent-browser fill @e2 "text" ... agent-browser upload @e1 file.pdf # Upload files

The skill grants the agent broad browser-control commands, including clicking, filling forms, and uploading files, without documented approval gates or scoped limits.

User impactAn agent using this skill could submit forms, change account state, click destructive controls, or upload a local file on a website if it is operating in an authenticated or sensitive browsing session.
RecommendationUse this only for intended browser automation tasks, and require explicit user confirmation before submissions, purchases, account changes, destructive clicks, or file uploads.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
CONTRIBUTING.md
npm install -g agent-browser@latest

The setup guidance installs an external npm package globally using the latest version; this is expected for a CLI wrapper, but it leaves package/version provenance for the user to verify.

User impactInstalling or updating could pull a different upstream version than expected, and that package runs with the user's local permissions.
RecommendationVerify the npm package and upstream repository, pin a trusted version where possible, and install in an isolated environment if handling sensitive browsing tasks.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
Recording creates a fresh context but preserves cookies/storage from your session. ... agent-browser cookies # Get all cookies ... agent-browser storage local # Get all localStorage ... agent-browser set credentials user pass

The documented commands can read or preserve session cookies/localStorage and set HTTP basic-auth credentials, giving the agent access to web identity/session material without clear scoping.

User impactIf used on logged-in sites, the agent may be able to view session data or act with the user's web-account privileges.
RecommendationPrefer isolated browser profiles and test accounts, avoid sensitive logged-in sites, clear cookies/storage after use, and do not provide credentials unless the task explicitly requires them.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
agent-browser snapshot # Full accessibility tree ... agent-browser get html @e1 # Get innerHTML

The skill intentionally brings webpage text, structure, and HTML into the agent's context; that is central to browser automation but can expose untrusted or sensitive page content.

User impactA malicious or sensitive webpage could place misleading instructions or private content into the agent's working context or logs.
RecommendationTreat webpage content as untrusted data, not instructions, and avoid snapshotting or exporting sensitive pages unless necessary.