Agent Browser Core 1.0.1
PassAudited by ClawScan on May 1, 2026.
Overview
This is an instruction-only browser automation guide that discloses sensitive capabilities and recommends approvals, but users should verify the external CLI and protect authenticated sessions.
Before installing, verify the agent-browser package and pin a trusted version. Run it in an isolated environment, allowlist only the intended domains, block localhost/private networks, require explicit approval for eval/file/network/proxy/download/cookie/storage/state actions, and use dedicated ephemeral browser profiles or state files for authenticated work.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the wrong or untrusted CLI package could give a browser automation tool broad local and web access.
The skill relies on an external globally installed CLI and browser runtime downloads. This is purpose-aligned and user-directed, but package provenance and exact versions matter.
Pin the version you trust: - `npm install -g agent-browser@<version>` ... - Install browser runtime: - `agent-browser install`
Pin an exact trusted version, verify the package source, and install in a dedicated environment or container as the skill recommends.
If approved too broadly, the agent could run scripts in pages, access local files, or manipulate browser/network behavior.
The documented CLI can perform powerful browser and runtime operations. The same file requires approval and safe-mode controls, so this is a disclosed, purpose-aligned risk rather than hidden behavior.
High-risk capabilities - `eval` (arbitrary JavaScript) - `--allow-file-access` (local file access) - `--executable-path`, `--args`, `--cdp` (custom runtime control) - `network route` / `set headers` / `--proxy` (traffic manipulation)
Keep safe mode enabled, allowlist target domains, and require explicit human approval with a clear scope for eval, file access, proxy, headers, CDP, or network interception.
Authenticated automation can click, fill, or submit actions inside accounts if the user provides a logged-in session.
The skill anticipates authenticated browser use. That is expected for web automation, but it means the agent may act with the user's website account privileges.
Session or profile strategy if authentication is required.
Use dedicated low-privilege accounts or profiles where possible, define target URLs and allowed actions, and avoid giving access to unrelated personal or business sessions.
Saved state files could allow future tasks or other users with file access to reuse authenticated sessions.
Saved browser state can persist cookies, tokens, and session context across runs. The artifact correctly labels state files as sensitive.
Log in once and `state save`. - Reuse with `state load` in later runs. - Treat state files as secrets and rotate when needed.
Store state files securely, keep them task-specific, delete or rotate them when done, and avoid sharing them with other agents or workflows.