Tandem Browser
PassAudited by ClawScan on May 12, 2026.
Overview
This is a coherent browser-control skill, but it gives the agent powerful access to a local Tandem Browser session and should be used only for tasks you trust.
Install only if you trust Tandem Browser and mcporter, keep the local API token private, supervise consequential browser actions, and be cautious with untrusted websites—especially because the documented Linux setup uses `--no-sandbox`.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could interact with websites in the Tandem Browser, including forms or pages tied to user accounts, if the user asks it to do so.
The skill intentionally gives the agent browser interaction abilities, including clicking and filling fields. This is expected for the stated purpose, but can have real effects if used on logged-in or transactional pages.
Browse, snapshot, click, type, navigate ... mcporter call tandem tandem_snapshot_click ... tandem_snapshot_fill
Use this skill for trusted browsing tasks and require explicit confirmation before submissions, purchases, account changes, or public posts.
A compromised or malicious web page may have more opportunity to affect the local environment than it would in a sandboxed browser.
The skill documents running the browser without sandboxing on Linux. This is disclosed and may be required by Tandem, but it reduces browser isolation when visiting untrusted pages.
`--no-sandbox` — always required on Linux
Avoid using the unsandboxed browser for unknown or high-risk sites, and run it in a contained user account or environment when possible.
Anyone or any process with access to that token may be able to control the local Tandem Browser API.
The skill discloses use of a local bearer token for the Tandem API. This is expected for connecting to the local MCP bridge, but it is still credential-based access to browser-control functionality.
Auth token: `~/.tandem/api-token` (Bearer token)
Protect the token file, avoid sharing logs or screenshots containing it, and rotate it if it may have been exposed.
The safety of the skill also depends on the installed mcporter and Tandem Browser versions, which were not reviewed here.
The skill depends on an external mcporter binary and Tandem Browser components that are not included in the reviewed artifacts. This is a provenance and review-context limitation, not evidence of malicious behavior.
Required binaries (all must exist): mcporter; No install spec — this is an instruction-only skill.
Install mcporter and Tandem Browser only from trusted sources and keep them updated.
A running daemon may continue making Tandem tools available for multi-step work until stopped.
The skill documents a persistent daemon mode and systemd service, but presents them as manual, user-directed options rather than hidden background behavior.
Daemon mode (persistent, for multi-step workflows) ... `mcporter daemon start` ... Service is disabled (start manually when needed)
Start the daemon only when needed and stop it after use if you do not want ongoing browser-control availability.
Malicious web page content could try to influence the agent if treated as instructions instead of untrusted page data.
The skill acknowledges that raw page HTML can contain prompt-injection content. The warning and recommendation to prefer safer content-reading methods are purpose-aligned mitigations.
`tandem_get_page_html` | Last resort. Raw HTML, prompt-injection exposed.
Treat web page content as untrusted evidence and avoid using raw HTML unless necessary.