Skillv2.4.0

ClawScan security

Browser Agent Pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 17, 2026, 4:33 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and instructions are internally consistent with a browser-automation tool, but it includes several sensitive capabilities (reusing browser profiles, reading clipboard/files, network HARs, cloud proxying) that users should consciously approve and protect.
Guidance: This skill appears to do what it says (drive a browser locally or via Browserbase). Before installing or using it: - Verify the origin of the agent-browser npm package (check its npm page, repository, and recent maintainer activity) before running global npm installs. - Avoid using your 'Default' Chrome profile; reuse of real browser profiles can leak saved logins, cookies, and extensions. Prefer isolated sessions or dedicated profiles. - Treat the Browserbase API key like any secret: prefer a secrets vault over a plaintext ~/.openclaw/.env file when possible; if you must use a file, follow the recommended file-permission guidance and understand where the CLI stores credentials. - Be aware that commands like clipboard read, upload/download, network HAR, get html, screenshot, get cdp-url, streaming, and dashboard can expose sensitive data. Only run the skill on sites and data you explicitly trust and monitor outputs before sharing. - If you have strict data-exfiltration or compliance requirements, test the CLI in an isolated environment first and audit its on-disk storage and network traffic (including what Browserbase receives) before granting it access to real accounts.

Review Dimensions

Purpose & Capability: okName/description (local headless Chrome + Browserbase cloud) matches the runtime instructions: the SKILL.md tells the agent to install and use the agent-browser CLI and to optionally configure a Browserbase API key. Required capabilities (CLI, optional cloud API key, session/profile management) are expected for this purpose.
Instruction Scope: noteInstructions are explicit about installing and using the agent-browser CLI and about when to prefer Browserbase (403, CAPTCHAs, etc.). They also instruct reuse of a real Chrome profile (--profile Default), saving/loading session states, using auth save/login, reading/writing ~/.openclaw/.env, and using commands like clipboard read, upload/download, network har, get html, get cdp-url, streaming and dashboard. Those actions are coherent for advanced browser automation but grant access to potentially sensitive local data (browser cookies, saved logins, clipboard contents, downloaded/uploaded files, recorded network traffic, and possible remote streaming). The instructions do not attempt to access unrelated system paths or unrelated env vars, but their permissible actions are broad and could be used to exfiltrate data if misused.
Install Mechanism: noteThis is instruction-only (no packaged install executed by the registry). The SKILL.md and frontmatter recommend installing agent-browser via npm (npm install -g agent-browser and agent-browser install). Installing a public npm CLI is a common approach for this functionality, but npm packages are third-party code and should be vetted. There is no opaque download URL or archive extraction in the skill itself.
Credentials: noteThe only declared environment credential is an optional BROWSERBASE_API_KEY for cloud mode; that aligns with the Browserbase functionality. However, the skill recommends storing that key in ~/.openclaw/.env and sourcing it, and it also suggests reusing the host Chrome profile and saving auth profiles via the CLI — both of which involve accessing and persisting sensitive credentials and session state. These requests are proportionate to the advanced features offered, but they increase risk and should be used with care (prefer not to reuse 'Default' profile, use least-privilege API keys, and prefer a secure vault where available).
Persistence & Privilege: okThe skill does not request always:true and does not declare any system-wide modifications in the registry metadata. It instructs saving session state and CLI-managed auth profiles, which is expected for a browser automation tool and is limited to the tool's own storage. Autonomous invocation is allowed (platform default) but not combined with elevated or persistent registry-level privileges.