Stagehand Browser CLI
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running setup could modify the user's Node/global command environment or cause the agent to invoke an unreviewed browser command.
These setup steps install and globally link a CLI, but the submitted skill has no reviewed source/package files or install spec for that command.
"Run: npm install (this will automatically build TypeScript)", "Run: npm link (this creates the global 'browser' command)"
Do not run the setup until the full source, package manifest, dependency lockfile, and install spec are supplied and trusted.
Browsing activity may run through a remote Browserbase account and consume or expose account-backed browser sessions without an explicit per-task mode choice.
The skill can detect Browserbase credentials in a .env file and choose the remote browser account automatically, while the registry metadata declares no credentials or environment variables.
"If Browserbase API keys exist ... Uses remote Browserbase environment" ... "No user prompting"
Require explicit user confirmation before remote mode, declare the Browserbase credentials in metadata, and remove those keys when local-only browsing is intended.
Users could run automations that get accounts flagged, violate site rules, or perform scraping they did not intend to route through a remote anti-detection environment.
The remote mode is positioned for stealth/proxy/CAPTCHA-supported scraping, which is broader than ordinary browser assistance and may bypass site controls.
"Stealth mode | No | Yes" ... "Proxy/CAPTCHA | No | Yes" ... "Best for | Development | Production/scraping"
Use only on sites where automation is authorized, avoid stealth/CAPTCHA/proxy features unless explicitly needed, and confirm before scraping or submitting forms.
A vague action could click, type, or submit something unintended on a real website.
AI-selected browser actions are central to the skill and disclosed, but the documentation acknowledges ambiguous instructions can act on the wrong page element.
"Supports: clicking, typing, selecting, scrolling, waiting, hovering" and "Without specificity it might succeed on the wrong element!"
Use observe and screenshots before sensitive actions, and require explicit confirmation for login, purchase, deletion, posting, or form-submission steps.
If the user logs into a site, later runs may still be authenticated and able to act in that account.
The skill uses a persistent browser profile, so authenticated sessions can remain available to later browser automation.
"This example uses Chrome's user profile (`.chrome-profile/`) which may preserve session cookies between runs."
Use a dedicated profile for this skill, log out of sensitive sites, and delete .chrome-profile when session persistence is not desired.
Screenshots, downloads, or cached page analysis from sensitive sites may remain on disk and be reused or viewed later.
The skill writes browsing artifacts and enables caching, which may retain private page content or downloaded files after the task.
"Screenshots: `./agent/browser_screenshots/`", "Downloads: `./agent/downloads/`", and "enableCaching: true"
Regularly clear the screenshot, download, cache, and profile directories, especially after working with private or authenticated pages.