Agent Browser 0.2.0
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: agent-browser-0-2-0 Version: 1.0.0 The skill wraps the 'agent-browser' CLI, a powerful browser automation tool, and grants the AI agent broad Bash permissions to execute its commands. While the skill itself does not contain explicit malicious instructions, the documented capabilities of 'agent-browser' (e.g., arbitrary file upload/save, network interception/modification, and JavaScript execution via `eval`) present significant vulnerabilities. These features, if exploited through prompt injection or an unconstrained agent, could lead to data exfiltration, unauthorized file access, or other harmful actions, classifying it as suspicious due to high-risk capabilities without clear malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on sensitive sites, the agent could perform real web actions such as changing settings, submitting forms, or uploading a selected file.
The skill grants the agent access to a broad browser automation CLI. This matches the purpose, but the commands can click, type, submit, and upload files on websites.
allowed-tools: Bash(agent-browser:*) ... agent-browser click @e1 ... agent-browser fill @e2 "text" ... agent-browser upload @e1 file.pdf
Use it for clearly requested browser tasks, and review/confirm actions before account changes, purchases, posts, deletions, or file uploads.
The behavior ultimately depends on the installed agent-browser package, not just this skill documentation.
The actual executable is installed from npm or built from GitHub, and the reviewed skill contains no code files for that CLI. This is normal for a wrapper skill, but users are trusting the external package/source.
npm install -g agent-browser agent-browser install agent-browser install --with-deps ... git clone https://github.com/vercel-labs/agent-browser cd agent-browser pnpm install pnpm build
Install only from a trusted package/source, consider pinning a known version, and verify the upstream project before using it with important accounts or data.
If credentials are used on the wrong site or exposed in command history/output, protected account access could be affected.
The CLI can be given HTTP Basic Auth credentials. That is expected for browser automation, but credentials grant access to protected sites.
agent-browser set credentials user pass # HTTP basic auth
Only provide credentials for intended sites, avoid sharing secrets in prompts when possible, and clear or rotate credentials if they may have been exposed.
Session data from one browsing task could be visible in outputs or reused in later browser actions.
The browser context can retain and expose cookies or localStorage. This is useful for logged-in automation, but those values may include sensitive session data.
Recording creates a fresh context but preserves cookies/storage from your session ... agent-browser cookies # Get all cookies agent-browser storage local # Get all localStorage
Use separate browser contexts for sensitive work, avoid unnecessary cookie/storage inspection, and clear cookies/storage after tasks involving private accounts.