Agent Browser - Stagehand
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill The skill provides powerful browser automation capabilities, including full network access (localhost, internal networks), persistent browser profiles that store cookies and potentially saved credentials, and automatic file downloads without user interaction. The agent is explicitly allowed to execute arbitrary Bash commands (SKILL.md). Additionally, the browser is launched off-screen (REFERENCE.md), which can be a form of stealth. While these features are aligned with the stated purpose of browser automation, they present significant security risks if the agent is compromised or misdirected, as they enable broad access and potential data handling without explicit malicious intent within the skill's instructions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the setup could fail or could execute/link code that was not included in the reviewed artifact set.
The setup asks for package installation/building and a global command link, while the provided artifacts contain no package/source files or install spec for reviewing what would be installed or linked.
"1. Run: npm install (this will automatically build TypeScript)", "2. Run: npm link (this creates the global 'browser' command)"
Do not run npm install or npm link until the skill provides its package.json, lockfile, source code, and a declared install spec.
Browser sessions may run under a remote Browserbase account without the user realizing, potentially affecting account usage, billing, and data exposure.
The skill automatically uses account-backed Browserbase credentials from .env and switches to remote execution without prompting, despite metadata declaring no credentials or env vars.
If Browserbase API keys exist (BROWSERBASE_API_KEY and BROWSERBASE_PROJECT_ID in .env file): Uses remote Browserbase environment ... No user prompting
Require explicit user approval before remote mode, declare Browserbase credentials in metadata, and provide a clear local-only option.
The skill could be used in ways that bypass website controls or violate site terms, especially when combined with automated clicks and extraction.
The remote mode is advertised with stealth/proxy/CAPTCHA support for production scraping, but the artifacts do not constrain this to authorized or policy-compliant use.
| Stealth mode | No | Yes | ... | Proxy/CAPTCHA | No | Yes | ... | Best for | Development | Production/scraping |
Use only on sites where automation is allowed, disable stealth/CAPTCHA features unless explicitly authorized, and require confirmation before submissions or account actions.
Future browser tasks may start already logged in, exposing private account pages or allowing unintended authenticated actions.
Persistent browser profiles can retain login cookies and other web state across tasks, but the artifacts do not define retention limits or a cleanup workflow.
This example uses Chrome's user profile (`.chrome-profile/`) which may preserve session cookies between runs.
Use separate temporary profiles for sensitive work, clear `.chrome-profile/` after use, and avoid entering important credentials unless you trust the implementation.
Sensitive page content, form text, or instructions could be involved in provider-mediated automation.
The skill relies on an external model/provider for browser actions; this is purpose-aligned, but users should understand that page context and requested actions may be processed outside the local browser.
Uses Stagehand's `page.act()` which leverages Claude Haiku 4.5
Review provider data-handling terms and avoid using the skill for sensitive logged-in pages unless the data flow is acceptable.