Stagehand Browser CLI
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill The skill is classified as suspicious due to several high-risk capabilities, even without clear evidence of intentional malicious behavior within the provided files. The `SKILL.md` explicitly allows `Bash` execution, granting the AI agent broad command execution capabilities. The `REFERENCE.md` reveals that the browser uses a persistent profile (`.chrome-profile/`) which stores sensitive data like cookies and potentially saved passwords, and it allows unrestricted file downloads to a known path (`./agent/downloads/`). These features, combined with the natural language interface for browser automation, make the skill highly susceptible to prompt injection from a user to perform unauthorized actions, data exfiltration, or download and potentially execute malicious payloads.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running setup could modify the user's Node/global command environment or cause the agent to invoke an unreviewed browser command.
These setup steps install and globally link a CLI, but the submitted skill has no reviewed source/package files or install spec for that command.
"Run: npm install (this will automatically build TypeScript)", "Run: npm link (this creates the global 'browser' command)"
Do not run the setup until the full source, package manifest, dependency lockfile, and install spec are supplied and trusted.
Browsing activity may run through a remote Browserbase account and consume or expose account-backed browser sessions without an explicit per-task mode choice.
The skill can detect Browserbase credentials in a .env file and choose the remote browser account automatically, while the registry metadata declares no credentials or environment variables.
"If Browserbase API keys exist ... Uses remote Browserbase environment" ... "No user prompting"
Require explicit user confirmation before remote mode, declare the Browserbase credentials in metadata, and remove those keys when local-only browsing is intended.
Users could run automations that get accounts flagged, violate site rules, or perform scraping they did not intend to route through a remote anti-detection environment.
The remote mode is positioned for stealth/proxy/CAPTCHA-supported scraping, which is broader than ordinary browser assistance and may bypass site controls.
"Stealth mode | No | Yes" ... "Proxy/CAPTCHA | No | Yes" ... "Best for | Development | Production/scraping"
Use only on sites where automation is authorized, avoid stealth/CAPTCHA/proxy features unless explicitly needed, and confirm before scraping or submitting forms.
A vague action could click, type, or submit something unintended on a real website.
AI-selected browser actions are central to the skill and disclosed, but the documentation acknowledges ambiguous instructions can act on the wrong page element.
"Supports: clicking, typing, selecting, scrolling, waiting, hovering" and "Without specificity it might succeed on the wrong element!"
Use observe and screenshots before sensitive actions, and require explicit confirmation for login, purchase, deletion, posting, or form-submission steps.
If the user logs into a site, later runs may still be authenticated and able to act in that account.
The skill uses a persistent browser profile, so authenticated sessions can remain available to later browser automation.
"This example uses Chrome's user profile (`.chrome-profile/`) which may preserve session cookies between runs."
Use a dedicated profile for this skill, log out of sensitive sites, and delete .chrome-profile when session persistence is not desired.
Screenshots, downloads, or cached page analysis from sensitive sites may remain on disk and be reused or viewed later.
The skill writes browsing artifacts and enables caching, which may retain private page content or downloaded files after the task.
"Screenshots: `./agent/browser_screenshots/`", "Downloads: `./agent/downloads/`", and "enableCaching: true"
Regularly clear the screenshot, download, cache, and profile directories, especially after working with private or authenticated pages.