Agent Browser Core 1.0.1
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: agent-browser-core-1-0-1 Version: 1.0.0 The skill bundle describes a powerful web automation CLI tool (`agent-browser`) that possesses high-risk capabilities such as arbitrary JavaScript execution (`eval`), local file access (`--allow-file-access`), file downloads (`download`), credential manipulation (`set credentials`), and network interception (`network route`, `--proxy`). While the documentation (SKILL.md, references/agent-browser-command-map.md, references/agent-browser-safety.md) explicitly identifies these as 'sensitive' or 'high-risk' and provides extensive safety guidelines and warnings against their misuse, the mere existence and description of these capabilities within the skill bundle makes it suspicious. An AI agent, if not properly constrained or if subjected to prompt injection, could potentially be instructed to leverage these features for unauthorized actions, data exfiltration, or system compromise, despite the bundle's good-faith warnings.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the wrong or untrusted CLI package could give a browser automation tool broad local and web access.
The skill relies on an external globally installed CLI and browser runtime downloads. This is purpose-aligned and user-directed, but package provenance and exact versions matter.
Pin the version you trust: - `npm install -g agent-browser@<version>` ... - Install browser runtime: - `agent-browser install`
Pin an exact trusted version, verify the package source, and install in a dedicated environment or container as the skill recommends.
If approved too broadly, the agent could run scripts in pages, access local files, or manipulate browser/network behavior.
The documented CLI can perform powerful browser and runtime operations. The same file requires approval and safe-mode controls, so this is a disclosed, purpose-aligned risk rather than hidden behavior.
High-risk capabilities - `eval` (arbitrary JavaScript) - `--allow-file-access` (local file access) - `--executable-path`, `--args`, `--cdp` (custom runtime control) - `network route` / `set headers` / `--proxy` (traffic manipulation)
Keep safe mode enabled, allowlist target domains, and require explicit human approval with a clear scope for eval, file access, proxy, headers, CDP, or network interception.
Authenticated automation can click, fill, or submit actions inside accounts if the user provides a logged-in session.
The skill anticipates authenticated browser use. That is expected for web automation, but it means the agent may act with the user's website account privileges.
Session or profile strategy if authentication is required.
Use dedicated low-privilege accounts or profiles where possible, define target URLs and allowed actions, and avoid giving access to unrelated personal or business sessions.
Saved state files could allow future tasks or other users with file access to reuse authenticated sessions.
Saved browser state can persist cookies, tokens, and session context across runs. The artifact correctly labels state files as sensitive.
Log in once and `state save`. - Reuse with `state load` in later runs. - Treat state files as secrets and rotate when needed.
Store state files securely, keep them task-specific, delete or rotate them when done, and avoid sharing them with other agents or workflows.