Browser Automation
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This browser automation skill is powerful but under-scoped: it can install/link an unreviewed CLI, automatically use remote browser credentials, and retain login sessions.
Install only if you can review the complete CLI source and trust the provider setup. Use a dedicated browser profile and limited API keys, explicitly choose local versus remote mode, avoid sensitive accounts unless necessary, and confirm any action that submits forms, changes account data, downloads files, or uses scraping/stealth features.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running setup could execute or link code that was not included in the reviewed artifacts, especially concerning for a tool that controls a browser.
The skill instructs installation and global linking of a CLI, but the provided artifact set contains no package/code files and no install spec, leaving the executable behavior unavailable for review.
npm install # Install dependencies npm link # Create global 'browser' command
Do not run setup until the complete package source, package.json, lockfile, and CLI implementation are available and reviewed.
Browser activity, credentials entered into websites, screenshots, or scraping activity may run through a Browserbase project unexpectedly and may incur account usage or expose sensitive browsing context to that service.
The skill automatically consumes Browserbase credentials from configuration and changes execution to a remote browser environment without asking the user at runtime.
If Browserbase API keys exist ... Uses remote Browserbase environment ... No user prompting
Require explicit user opt-in for remote mode, declare Browserbase environment variables in metadata, and clearly show which account/project will be used before launching.
The skill could be used in ways that violate website rules or bypass protections, creating legal, account, or abuse risk for the user.
The remote mode is advertised for stealth, proxy/CAPTCHA handling, and production scraping, which can enable abuse of website anti-bot controls if not tightly governed.
| Stealth mode | No | Yes | | Proxy/CAPTCHA | No | Yes | | Best for | Development | Production/scraping |
Use only on sites where automation is authorized; remove or gate anti-detection/CAPTCHA-bypass-oriented workflows behind explicit policy and user confirmation.
A vague instruction could click or type in the wrong place, including on authenticated sites or forms.
Broad natural-language browser control is central to the skill, but the docs acknowledge ambiguous actions can target the wrong element.
AI model interprets natural language and executes corresponding browser actions ... Supports: clicking, typing, selecting, scrolling, waiting, hovering, and more ... Without specificity it might succeed on the wrong element!
Give precise instructions, inspect screenshots, and require explicit confirmation before submitting forms, making purchases, changing account settings, or posting content.
Future browser automation may reuse prior logged-in sessions, and local profile data may remain on disk after closing the browser.
The skill intentionally keeps a persistent browser profile, so login cookies and session state can survive after the immediate task.
This example uses Chrome's user profile (`.chrome-profile/`) which may preserve session cookies between runs.
Use a dedicated low-privilege profile, clear `.chrome-profile/` when finished, and avoid logging into sensitive accounts unless necessary.
Page content, action instructions, and extracted data may be processed by provider services during automation.
The skill relies on an external AI model/provider path for interpreting browser actions and extracting page data, which is expected but relevant for sensitive pages.
Uses Stagehand's `page.act()` which leverages Claude Haiku 4.5 ... Uses Stagehand's `page.extract()`
Avoid using the skill on confidential pages unless the provider data-handling terms are acceptable, and do not place passwords or secrets directly in command text when alternatives exist.