Agent Browser
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent browser-automation skill, but it relies on an unverified external CLI and includes powerful login/session, JavaScript, and proxy features that need careful review.
Install only if you trust the agent-browser CLI package and can pin/verify it. Be cautious with logins, saved auth-state files, arbitrary JavaScript, file uploads, and proxy-based scraping. Require explicit confirmation before the agent submits forms, changes account data, posts publicly, purchases anything, or performs large-scale scraping.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the external CLI package is compromised or different from expected, it could control browser sessions, handle credentials, capture pages, or persist auth state.
The skill permits running an external agent-browser CLI, including via npx. Combined with the provided metadata showing unknown source, no homepage, and no install spec, the executable that controls browser sessions is not pinned or reviewable in these artifacts.
allowed-tools: Bash(npx agent-browser:*), Bash(agent-browser:*)
Use only a trusted, pinned version of the agent-browser CLI; avoid automatic npx execution unless you have verified the package source and integrity.
Using these workflows against third-party sites may violate terms of service, trigger account/IP blocks, or enable abusive scraping behavior.
The reference explicitly recommends proxy rotation to avoid rate limiting during scraping, which can bypass website abuse controls and exceed normal browser-automation use.
### Rotating Proxies for Scraping # Rotate through proxy list to avoid rate limiting
Use proxies only for legitimate testing or corporate routing, respect robots.txt/terms/rate limits, and require explicit user approval for scraping at scale.
JavaScript run in an authenticated page can read or change page data and may perform actions as the logged-in user.
The CLI supports arbitrary JavaScript execution in the browser context. This is a common browser-automation escape hatch, but it is powerful and should be used intentionally.
agent-browser eval -b "<base64>" # Any JavaScript (base64 encoded) agent-browser eval --stdin # Read script from stdin
Prefer normal click/fill/get commands when possible, review JavaScript before running it, and avoid executing JS from untrusted pages or prompts.
An automated browser session can act as you on websites where you log in.
The skill documents entering account credentials and saving authenticated browser state. That is purpose-aligned for login automation, but it grants delegated account access.
agent-browser fill @e1 "$APP_USERNAME" agent-browser fill @e2 "$APP_PASSWORD" ... agent-browser state save ./auth-state.json
Use least-privilege accounts where possible, avoid entering credentials unless needed, and confirm sensitive actions such as purchases, posts, deletions, or account changes.
Anyone or any process with access to saved state files may be able to reuse web sessions.
Saved session files can contain cookies and browser storage, which may include authentication tokens or other sensitive state reused across tasks.
State File Contents
{
"cookies": [...],
"localStorage": {...},
"sessionStorage": {...},
"origins": [...]
}Store state files outside shared repositories, encrypt or delete them when no longer needed, and clear sessions after sensitive work.
Browser state can remain active after a task unless closed or cleared.
The skill discloses background browser persistence between commands. This is useful for automation, but users should understand that browser/session state may outlive a single command.
The browser persists between commands via a background daemon
Close sessions when finished and use the documented state/session cleanup commands for sensitive sites.