Midscene Web
WarnAudited by ClawScan on May 14, 2026.
Overview
This looks like a real browser-automation skill, but it can control your logged-in Chrome and use screenshot-based AI analysis, so review it carefully before using it on private accounts.
Install only if you are comfortable with an agent running browser-automation commands. Prefer isolated Puppeteer mode for general browsing, use CDP/Bridge only when you explicitly want your logged-in Chrome controlled, and require confirmation before submissions, purchases, settings changes, or other irreversible actions. Avoid sensitive pages unless you trust the configured model provider and understand what screenshots or page data may be sent.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could view or act within websites where you are already signed in, including account dashboards, orders, or other private pages.
This gives the agent authority to operate the user's authenticated browser session. The provided instructions do not clearly restrict which accounts/sites may be used or require explicit approval before sensitive account actions.
“CDP vs Bridge: Both control the user's real Chrome with login sessions preserved... If the user doesn't specify, prefer CDP”
Use the isolated Puppeteer mode unless you explicitly need your logged-in browser. Enable CDP/Bridge only for a specific task and require confirmation before submitting forms, making purchases, changing settings, or accessing sensitive accounts.
A poorly scoped task could result in unintended website actions, such as submitting data or changing account state.
These are powerful browser mutation capabilities. In a logged-in session, clicking and typing can submit forms, change account data, or trigger transactions, and the visible instructions do not define a confirmation boundary for high-impact actions.
“Midscene can click, right-click, double-click, hover, type or clear text, press keys, scroll, drag... and continue through multi-step page flows”
Give narrow instructions, avoid broad autonomous workflows on important accounts, and require the agent to stop and ask before any irreversible or externally visible action.
Private page contents visible in screenshots could be exposed to the configured AI model provider during automation.
Screenshot-driven visual inference with a configured model API implies page screenshots or visual page data may be sent to an external model provider. When used with logged-in browser sessions, those screenshots may contain private account data, and the artifacts do not define retention, redaction, or provider data boundaries.
“Operates from screenshots” and “Midscene requires models with strong visual grounding capabilities... MIDSCENE_MODEL_API_KEY... MIDSCENE_MODEL_BASE_URL”
Use only trusted model endpoints, avoid sensitive pages unless necessary, and confirm what data the provider receives and retains before using the skill on private accounts.
Behavior can depend on the npm package version resolved at runtime rather than code reviewed in this artifact set.
The skill executes an external npm package at runtime, and `@1` pins only the major version. This is central to the stated purpose, but the runnable package code is not included in the provided artifacts.
“Automate web browsing using `npx -y @midscene/web@1`.”
Prefer exact-version pinning and install only if you trust the Midscene npm package and its update channel.
A browser session or its state may remain available across multiple automation commands.
The browser session persists between CLI invocations. The persistence is disclosed and appears workflow-related, but users should understand that browser state may remain after a task.
“launches a headless Chrome via Puppeteer that **persists across CLI calls** — no session loss between commands”
Close the automated browser or clear session state after sensitive tasks, especially when using authenticated pages.