Web Browser
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Apify browser-automation guide, but it uses a personal API token and sends web tasks to a cloud service that can submit forms or run browser scripts.
This skill appears purpose-aligned and instruction-only, with no hidden code or install step in the provided artifacts. Before using it, set clear limits on what the agent may do in the browser, review generated automation scripts, protect your Apify token, and avoid sending sensitive data unless you trust the provider and the task requires it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could submit forms, click buttons, or run automation that affects websites or consumes Apify compute.
The skill gives the agent broad authority to choose Apify actors and trigger browser automation runs. This is central to the purpose, but it can cause real web actions such as form submissions.
Describe a web task in plain language and Claude will: 1. Pick the right automation actor for the job 2. Build and fire the API call
Use explicit instructions for target sites and permitted actions, and require confirmation before submissions, logins, purchases, posting, or other irreversible actions.
Anyone with the token could use the user's Apify account permissions and compute quota.
The skill requires a personal Apify API token so API calls can run under the user's account. This is expected for the integration, but it is an account credential.
copy your Personal API Token ... export AUTOMATION_TOKEN=api_xxxxxxxxxxxxxxxx
Store the token securely, avoid pasting it into prompts or logs, rotate it if exposed, and prefer the least-privileged token Apify supports.
Generated browser scripts can click, type, submit forms, and interact with web pages on the user's behalf.
The example sends JavaScript page automation code to Apify for execution in a cloud browser. This is a normal mechanism for Puppeteer/Playwright actors, but generated scripts should still be reviewed.
pageFunction: `async function pageFunction({ page }) { ... await page.click('button[type="submit"]'); ... }`Review generated pageFunction code before running it, especially when it handles credentials, payments, account settings, or user-generated inputs.
URLs, form fields, scraped data, and other task details may leave the local environment and be processed by Apify.
The skill discloses that automation is performed through Apify's cloud API, meaning task inputs and results may be transmitted to that provider.
using a cloud-based browser automation platform via a simple REST API
Do not send private, regulated, or secret data unless necessary, and review Apify's data handling and retention settings for sensitive tasks.