Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agent Browser
v0.1.0Browser automation CLI for AI agents. Use when the user needs to interact with websites, including navigating pages, filling forms, clicking buttons, taking...
⭐ 0· 598·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description match the included templates and documentation: it is clearly a browser-automation CLI helper. However the registry metadata claims no required binaries or env vars, while SKILL.md and the templates repeatedly call an external CLI named `agent-browser` and demonstrate/require environment variables (e.g., APP_USERNAME, APP_PASSWORD, AGENT_BROWSER_ENCRYPTION_KEY, AGENT_BROWSER_*) and state file locations (~/.agent-browser/sessions/, ./auth-state.json). The omission of the primary runtime dependency (the agent-browser binary) from metadata is an incoherence: either the binary is expected to already exist on the host, or the metadata is incomplete.
Instruction Scope
The runtime instructions and templates instruct the agent to read and write local state files (session/state JSONs), load/save authentication state, access environment variables for credentials and encryption keys, configure proxies (including proxied credentials), and execute arbitrary JavaScript via `agent-browser eval --stdin` or base64-encoded scripts. These actions go beyond simple read-only browsing: they persist sensitive tokens to disk, may require credential environment variables, and allow arbitrary JS to run in page contexts (a capable avenue for data extraction/exfiltration if misused). While these operations are coherent with a browser automation tool, the SKILL.md grants broad discretion (e.g., use of proxies and base64 JS) and references env vars that are not declared in the skill's required env list.
Install Mechanism
There is no install specification (instruction-only), and the repository contains only documentation and shell templates. That is lower risk from an installer perspective because nothing in the skill package will automatically download and execute code. However the templates assume an external CLI (`agent-browser`) is present and will be invoked; the skill does not provide or declare how that binary is installed. You should confirm where `agent-browser` comes from and inspect/trust that binary before running templates.
Credentials
The skill metadata lists no required environment variables, but the SKILL.md and templates make repeated use of environment variables for credentials (APP_USERNAME, APP_PASSWORD), encryption keys (AGENT_BROWSER_ENCRYPTION_KEY), and proxy variables (HTTP_PROXY/HTTPS_PROXY/ALL_PROXY). Those are sensitive by nature (passwords, session tokens, proxy creds) and they are used to persist state files that 'contain session tokens'. The skill does not declare these as required, nor does it limit how/where state is stored. This mismatch reduces transparency about what secrets the skill will touch.
Persistence & Privilege
The skill does not request special platform privileges (always:false). It explicitly instructs saving and loading session state files (cookies/localStorage/indexedDB) to disk and storing sessions under ~/.agent-browser/sessions or user-specified files. Persisting browser auth state locally is expected for this class of tool, but these files contain credentials/session tokens and must be handled carefully (the docs themselves warn against committing them). The skill does not attempt to modify other skills or global agent settings.
What to consider before installing
This skill appears to implement a real browser-automation workflow, but there are important mismatches and risks to consider before installing or running it:
- Confirm the `agent-browser` CLI: SKILL.md and templates repeatedly invoke an external `agent-browser` command, but the package metadata does not declare that binary or an install path. Ask the publisher where that binary comes from and inspect/trust it before running any templates.
- Sensitive env vars and state files: the docs reference APP_USERNAME, APP_PASSWORD, AGENT_BROWSER_ENCRYPTION_KEY, and proxy credentials. The templates save session files that contain cookies/storage (they can include auth tokens). Do not run templates with real credentials until you understand where state files are written and how they are protected; avoid committing state files to source control.
- Arbitrary JS execution: the tool supports running arbitrary JavaScript in pages (base64 or stdin). That is useful for scraping or testing but can be used to extract secrets displayed in the page context. Only run JS you understand, and review any automation scripts that use `eval`/`--stdin`.
- Network/proxy controls: the skill encourages using proxies and rotating proxies for scraping. These features enable behaviors that may violate target sites' terms of service or be used for large-scale scraping. Ensure you have appropriate authorization and comply with laws/policies.
- Minimal install surface here: because this is instruction-only, the repository itself doesn't install code, but templates will call an external CLI. Inspect and vet that CLI and any provider binaries before use.
Recommendations:
1) Ask the publisher for the source and install instructions for the `agent-browser` binary and verify its authenticity.
2) If you plan to use saved session files, configure and use encryption keys and delete them when done; follow the docs' 'never commit state files' advice.
3) Prefer ephemeral credentials for automation and use short-lived accounts for CI/testing.
4) Review any automation scripts (especially those using eval or proxies) for unintended data exfiltration.
If the publisher cannot explain where `agent-browser` is obtained or why the metadata omits the runtime dependencies and expected env vars, treat installation as higher risk.Like a lobster shell, security has layers — review code before you run it.
latestvk974cm4twzg4qasw3gsd37pv9d81epzt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.