v0.1.5

Agent Browser

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:23 AM.

Analysis

This appears to be a real browser automation skill, but it has powerful account, cookie, upload, JavaScript, proxy, screenshot, and video capabilities that should be reviewed carefully before use.

GuidanceInstall only if you trust inference.sh and need powerful browser automation. Avoid using it on sensitive accounts unless necessary, require confirmation before account-changing actions, do not extract or print cookies, disable video recording for sensitive workflows, close sessions after each task, and verify the CLI installer before use.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Capabilities: web scraping, form filling, clicking, typing, drag-drop, file upload, JavaScript execution

The skill explicitly authorizes broad browser actions that can mutate websites or accounts, including uploads and arbitrary page JavaScript, without clear per-action approval limits in the artifacts.

User impactAn agent using this skill could click buttons, submit forms, upload files, or run JavaScript in an authenticated web session if given an unsafe or ambiguous task.

RecommendationUse it only with clear site/task boundaries, require confirmation before submissions, purchases, uploads, account changes, or admin actions, and avoid giving it access to sensitive sites unless necessary.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

curl -fsSL https://cli.inference.sh | sh && infsh login

The setup instructions use a remote shell installer and require logging into the external CLI; this is disclosed and purpose-aligned, but it is not represented as a formal install spec.

User impactInstalling a remote CLI gives that provider software on the user’s machine and connects the skill to the user’s provider account.

RecommendationPrefer the documented manual install and checksum verification path, inspect the installer if possible, and use a least-privileged provider account.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

references/proxy-support.md

### Rate Limit Avoidance

Rotate proxies for web scraping

The proxy documentation includes a workflow framed around avoiding rate limits, which can encourage bypassing website controls or terms of service.

User impactUsing the skill this way could cause account blocks, legal or policy issues, or harm to third-party services.

RecommendationUse proxy support only for legitimate testing or approved network routing, and respect robots.txt, rate limits, and site terms.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

references/authentication.md

## Cookie Extraction

Extract cookies for use in other tools:
...
"code": "document.cookie"
...
echo "Cookies: $COOKIES"

The documentation instructs users to extract and print session cookies, which can function as bearer credentials for authenticated accounts.

User impactIf cookies are copied, logged, or exposed, someone else may be able to access the user’s logged-in web accounts.

RecommendationDo not extract or print cookies unless absolutely necessary; redact them, store them securely, and require explicit user approval for any cookie or session-token handling.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

references/session-management.md

Each session maintains an isolated browser context with:
- Cookies
- LocalStorage / SessionStorage
- Browser history
- Page state
- Video recording (if enabled)

Sessions persist across function calls

Persistent browser state is expected for multi-step automation, but it can carry authentication state and prior page context into later actions.

User impactA later action in the same session may still be logged in or may use page state from an earlier task.

RecommendationUse one session per task, close sessions promptly, and avoid reusing authenticated sessions for unrelated work.

Insecure Inter-Agent Communication

SeverityMediumConfidenceMediumStatusNote

SKILL.md

Browser automation for AI agents via [inference.sh](https://inference.sh)... take screenshots, record video

The skill is explicitly mediated by an external provider and returns screenshots or videos that may contain sensitive page content.

User impactSensitive web pages, credentials shown on screen, or private workflow details may appear in screenshots, recordings, or provider-handled session data.

RecommendationUse a trusted provider account, disable recording unless needed, avoid sensitive pages when possible, and review provider data-handling expectations before using authenticated browsing.