Agent Browser - Stagehand
Security checks across malware telemetry and agentic risk
Overview
This skill is review-worthy because it grants broad browser-control authority, can switch to a remote/stealth browser without prompting, persists sessions, and references runnable CLI code that is not included for review.
Install only if you can review the missing CLI package/source and you are comfortable with broad browser control. Before use, confirm whether it will run locally or through Browserbase, avoid sensitive accounts unless needed, require approval for submissions or account changes, and clear .chrome-profile when you do not want sessions reused.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or invoking the global browser command could run code whose provenance and behavior are not shown in the submitted artifacts.
The setup asks to install and globally link a CLI, while the supplied artifact set contains only documentation/setup files and no reviewable package or source for that CLI.
"1. Run: npm install (this will automatically build TypeScript)", "2. Run: npm link (this creates the global 'browser' command)"
Do not run npm install/npm link or rely on the global browser command unless the full package source, package.json, lockfile, and install scripts are available and reviewed.
The agent could click, type, submit forms, or otherwise mutate a website in ways that are hard to predict, especially on authenticated or business-critical pages.
The skill grants Bash access to drive a browser action command that can perform broad natural-language interactions on arbitrary web pages.
allowed-tools: Bash ... browser act "<action>" # Natural language action
Use only with explicit user-directed tasks, and require confirmation before submitting forms, making purchases, changing account settings, deleting data, or publishing content.
Browserbase account privileges, billing, remote sessions, and possibly authenticated browsing activity could be used unexpectedly when keys are present.
The skill automatically uses provider account credentials from a .env file and switches execution to a remote browser without per-task user approval, despite registry metadata declaring no env vars or primary credential.
If Browserbase API keys exist (BROWSERBASE_API_KEY and BROWSERBASE_PROJECT_ID in .env file): Uses remote Browserbase environment ... No user prompting
Declare these credentials in metadata, prompt before switching to Browserbase, and document exactly which account capabilities and costs may be used.
Sensitive webpage content, screenshots, form data, or authenticated-page data may be processed by external services during automation.
The browser workflow places page contents and interactions in an external AI/browser automation loop, but the artifacts do not define data boundaries, retention, or warnings for sensitive/authenticated pages.
Uses Stagehand's page.extract() ... AI model (Claude Haiku 4.5) identifies relevant page elements
Avoid using this skill on sensitive accounts unless the provider data handling is acceptable, and add clear prompts/documentation for what page data is sent to remote services.
The skill could be used for anti-detection or scraping workflows that may violate site rules, trigger account blocks, or create legal/reputational risk.
The remote mode advertises stealth, proxy/CAPTCHA capability, and production scraping, which is materially different from ordinary user-visible browsing and is not bounded by policy or approval guidance.
| Stealth mode | No | Yes | ... | Proxy/CAPTCHA | No | Yes | ... | Best for | Development | Production/scraping |
Only use automation where permitted, avoid CAPTCHA or anti-bot evasion, and require explicit approval for scraping or stealth-mode activity.
A later browsing task may inherit logged-in sessions or cookies from an earlier task, which can be convenient but can also expose or misuse prior account state.
The skill deliberately keeps browser session state so later runs can reuse cookies and authenticated context.
This example uses Chrome's user profile (`.chrome-profile/`) which may preserve session cookies between runs.
Delete or isolate .chrome-profile when switching users, accounts, or sensitive sites, and prefer a fresh profile for untrusted browsing.