Skillv1.0.0

ClawScan security

Browser Use 1.0.0 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 9:30 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's high-level purpose (spinning up cloud browsers) is plausible, but the instructions and metadata contain inconsistencies and privacy-exposing behaviors (undeclared API key storage, use of persistent profiles/cookies, and use of an external 'browser-use-llm') that warrant caution before installing.
Guidance: Before installing, verify the following: (1) Confirm you trust the domains docs.browser-use.com and api.browser-use.com and that they belong to the service you expect — check official ownership and privacy policy. (2) Understand that the skill expects you to store an API key in your Clawdbot config (skills.entries.browser-use.apiKey) even though the registry metadata lists no required credentials — ask the publisher to declare the credential formally. (3) Be aware that 'profiles' persist cookies/logins and the 'tasks' feature will drive browsers and can send page content (including authenticated content) to Browser Use's servers and their 'browser-use-llm' — do not use with sensitive accounts unless you accept that risk. (4) Confirm you are comfortable with the skill running gateway config.patch and modifying global config; if not, refuse or run in a sandbox/isolated agent. (5) Ask the publisher to resolve the ownerId mismatch, include the missing referenced files (references/api.md), and clarify whether examples using $API_KEY are meant to be env vars or the stored clawdbot config value. If you proceed, create a dedicated, limited-privilege API key/account for this integration and avoid syncing sensitive account cookies.

Review Dimensions

Purpose & Capability: noteThe SKILL.md describes a cloud-browser API and how to create sessions, profiles, and tasks — these map to the stated purpose. However, the skill metadata declares no required credential or env vars while the runtime instructions clearly rely on an API key. Also _meta.json ownerId differs from the registry owner ID in the provided metadata, and the SKILL.md references a local file (references/api.md) that is not included.
Instruction Scope: concernInstructions tell the agent to write an API key into the global Clawdbot config (skills.entries.browser-use.apiKey) and to run gateway config.patch to inject a cdpUrl into gateway configuration — both actions modify agent/global configuration. The 'Tasks (Subagent)' feature will run autonomous browser tasks and instructs to 'always use browser-use-llm', implying potentially sending page content (including content from authenticated sessions tied to profiles/cookies) to an external LLM/service. There is no warning about sensitive data exfiltration.
Install Mechanism: okInstruction-only skill with no install spec or code files — nothing is written to disk by an installer. This is the lowest-risk install mechanism.
Credentials: concernThe skill requires an API key at runtime but the registry metadata declares no required env vars or primary credential. Examples in the doc use $API_KEY, while the setup text says the API key lives in clawdbot config — inconsistent. The feature set (profiles that persist cookies and an LLM for tasks) justifies an API key, but the skill should declare that credential and clarify storage/access. Persisting cookies/profiles and running autonomous tasks increases the sensitivity of the credential and the data the service will see.
Persistence & Privilege: notealways is false (normal). However, the instructions explicitly modify global Clawdbot/gateway configuration (clawdbot config set and gateway config.patch). Writing to global agent config is functionally expected for integration but is a privilege: it can change runtime behavior and expose stored credentials to the service if misconfigured. This cross-config modification should be confirmed acceptable.