Browser Use API
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If given an unsafe or overly broad task, the cloud browser could interact with websites, submit forms, or scrape pages in ways the user did not intend.
The skill intentionally delegates broad browser automation to a cloud service, including actions like form filling and submissions. This is purpose-aligned, but users should notice the breadth of actions it can perform.
Use when you need AI-driven web browsing, scraping, form filling, or multi-step web tasks
Use explicit task wording and require confirmation before logins, purchases, public posts, form submissions, or account-changing actions.
Anyone with access to the API key could potentially run tasks or consume credits on the associated Browser Use account.
The helper uses a Browser Use API key from the environment to authenticate requests. This is expected for the service, but it ties tasks and usage costs to the user's provider account.
-H "X-Browser-Use-API-Key: $BROWSER_USE_API_KEY"
Keep the API key secret, use a dedicated or limited key if the provider supports it, monitor usage, and rotate the key if exposed.
Sensitive URLs, form contents, personal data, or secrets included in tasks or browser sessions may be visible to or processed by the external provider.
Task descriptions and browsing results are intentionally exchanged with a third-party cloud automation service. The API reference also describes returned steps with screenshots, so sensitive task content may leave the local environment.
Cloud-based AI browser automation. Send a task in plain English, get structured results.
Avoid including passwords, private data, or confidential business information unless the provider's privacy, retention, and security terms are acceptable.
The helper may fail on systems that do not already have these tools available.
The helper script depends on curl and python3, while the provided requirements list no required binaries. This is a dependency declaration gap, not evidence of hidden behavior.
RESPONSE=$(curl -s -X POST "$API_URL/tasks" ... python3 -c
Document curl and python3 as helper-script prerequisites, or verify they are installed before using the script.