Webmcp Browser Agents
ReviewAudited by ClawScan on May 13, 2026.
Overview
This appears to be a WebMCP development guide rather than a runnable high-risk tool, but it teaches patterns where agents can use browser sessions and perform commerce actions, so implementations need careful user controls.
This skill looks safe to install as development guidance. Before using its patterns in production, review any generated WebMCP tools for least privilege, require explicit confirmation for purchases or account changes, avoid exposing tokens or sensitive personal data to agents, and verify/pin any external polyfill packages or documentation-derived code.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A WebMCP implementation built from this guidance may let an agent act with the same permissions as the logged-in user on a website.
The skill teaches WebMCP tools that act through the user's existing authenticated browser session, which is high-impact account authority even though it is clearly disclosed and purpose-aligned.
“The agent inherits the user's browser session” and “Tools' fetch calls automatically include the user's cookies and auth headers”
Only expose authenticated tools that are necessary, gate them by role and page state, validate permissions server-side, and require explicit user confirmation for sensitive actions.
If implemented poorly, generated tools could allow agents to add items, change carts, cancel orders, or place purchases too easily.
The commerce examples include state-changing and financial workflows, but the same artifact also instructs developers to require human confirmation for money-related actions.
“checkout(paymentMethod, shippingOption) — Complete purchase” and “Confirmation gates — Require user interaction for anything involving money”
Mark destructive/payment tools with safety annotations, require requestUserInteraction confirmations, show clear order summaries, and keep transactional tools unavailable unless the user is authenticated and on an appropriate page.
The agent may browse external documentation before producing WebMCP code and may rely on whatever content it retrieves.
The skill requires web fetch/search as part of the coding workflow. This is reasonable for a changing specification, but it means external documentation content can shape the generated code.
“Before writing any WebMCP implementation code, you MUST web-search and/or web-fetch the relevant official documentation.”
Prefer the listed official sources, review fetched guidance before applying it, and avoid letting unrelated search results override your project requirements.
A developer or agent could choose the wrong or untrusted package if it does not verify the polyfill source carefully.
The polyfill guidance depends on current package names and external repositories rather than pinned dependency information in this artifact set.
“Always check the MCP-B repo for the latest package names and APIs before installing” and “await import("mcp-b"); // or whatever the current package name is”Verify package provenance, use the official repository, pin dependency versions, and review package contents before adding a polyfill to a production site.
Bridged implementations may pass user/session-derived data between browser and backend agent systems if boundaries are not designed carefully.
The bridge guidance describes cross-boundary flows between browser agents, polyfills, backend MCP services, session cookies, and API-key-authenticated services.
“Browser Agent ←→ MCP-B Polyfill ←→ Backend MCP Server” and “WebMCP tools use session cookies; MCP tools use API keys”
Define clear data boundaries, avoid forwarding credentials or unnecessary personal data, authenticate backend calls separately, and audit what each bridge endpoint can access.