ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Browser - Stagehand

v1.0.0

Automate web browser interactions using natural language via CLI commands. Use when the user asks to browse websites, navigate web pages, extract data from websites, take screenshots, fill forms, click buttons, or interact with web applications.

4· 6.5k·37 current·37 all-time
by@peytoncasper·duplicate of @peytoncasper/browser-automation
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to automate browsers (reasonable). However the SKILL.md and setup.json expect ANTHROPIC_API_KEY and optionally Browserbase API keys (BROWSERBASE_API_KEY, BROWSERBASE_PROJECT_ID) even though the registry metadata declares no required env vars/credentials. The skill also uses a persistent Chrome profile and download path which are plausible for a browser tool but increase scope (session cookies, saved credentials). The mismatch between declared requirements and actual instructions is incoherent.
!
Instruction Scope
Instructions tell the agent to run npm install and npm link (system-wide changes), to read/write a .env file and .chrome-profile, to save downloads to ./agent/downloads, and to use an external model (Anthropic) for action interpretation. The skill will therefore potentially transmit page content/DOM to a remote model and persist session cookies locally. The header also states automatic mode selection (local vs Browserbase) occurs without prompting, so presence of keys could silently change behavior to use remote infrastructure.
Install Mechanism
There is no formal install spec (instruction-only), which limits automated platform installation risk. But the runtime README explicitly instructs running 'npm install' and 'npm link' to create a global CLI — commands that modify the host environment and install dependencies from package manifests. That is expected for a CLI tool but means the agent or user will execute arbitrary package installs locally; provenance of those packages is not documented here.
!
Credentials
The skill effectively requires ANTHROPIC_API_KEY (setup.json) and optionally Browserbase keys (SKILL.md) to enable remote model-driven actions and remote Browserbase scraping, but the registry metadata lists no required env vars. This mismatch is concerning: sensitive credentials are implicated but not declared. Additionally, persisting .chrome-profile can retain session cookies/credentials, expanding the data the tool can access.
Persistence & Privilege
The skill does not request always:true and does not modify other skills, which is fine. It does instruct creating a persistent Chrome profile (.chrome-profile), download and screenshot directories, and suggests npm link to install a global 'browser' command — these create persistent artifacts on disk and a global binary that alter the system environment. That behavior is plausible for a CLI but is a notable privilege/persistence footprint.
What to consider before installing
This skill is coherent with a browser automation tool, but there are several red flags you should consider before installing or running it: - The registry says no credentials are required, but the included docs/setup.json expect ANTHROPIC_API_KEY and optionally Browserbase API keys. Treat those credentials as sensitive — if you provide them the tool may send page content and extracted data to remote services. - The skill recommends running 'npm install' and 'npm link', which will install dependencies and create a global 'browser' command. Only run those if you trust the package source; review package.json and dependency list first. - It uses a persistent Chrome profile (.chrome-profile) and saves downloads/screenshots to local folders. That will preserve cookies, sessions, and downloaded files — avoid using it on pages with sensitive accounts unless you understand and accept that persistence. - Mode selection is automatic: if Browserbase keys are present the tool will use remote infrastructure (stealth/proxy). If you don't want remote use, do not provide Browserbase credentials and remove any existing .env keys. - The tool refers to sending page data to an external LLM (Anthropic Claude). If you will visit pages containing secrets or PII, assume that data may be transmitted to the model provider. Recommended actions: inspect the package contents (package.json, src) before running npm install; run in an isolated/sandbox environment first; only provide API keys you trust and rotate them after testing; and avoid automating authenticated flows with sensitive accounts until you verify behavior and data flows.

Like a lobster shell, security has layers — review code before you run it.

latestvk9707w9n7bw25m2yxa8ezdkfgx80j08f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments