Oh My Browser
Security checks across malware telemetry and agentic risk
Overview
This skill openly gives an AI agent broad access to your logged-in browser, including the ability to read private pages and interact with websites, but the artifacts do not show strong per-site or per-action safeguards.
Use this only if you intentionally want an AI agent to operate your real logged-in browser. Consider a dedicated browser profile with limited accounts, avoid sensitive pages unless necessary, verify the remote installer and omb CLI, and require manual review before the agent submits forms, sends messages, changes settings, purchases anything, or accesses confidential systems.
VirusTotal
67/67 vendors flagged this plugin as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to view or act within sites where you are already logged in, such as email, documents, dashboards, or internal tools.
This explicitly grants the agent access through the user's authenticated browser session, which can include personal, work, and internal accounts.
Let your AI Agent use **your real browser** to search and interact with the web -- with your logins, cookies, and locale intact.
Install only if you are comfortable giving the agent access to logged-in browser sessions; use a separate browser profile or account with limited permissions when possible.
A capable or misdirected agent could submit forms, change account data, run page scripts, or inspect browser/network content in the active browser context.
The browser action tool exposes powerful interaction, script evaluation, debugging, and interception capabilities without artifact-visible per-site limits or approval requirements.
"omb_action" ... "click", "fill", "keypress", "evaluate", "cdp_eval", "intercept_start", "intercept_add_rule", "intercept_get_captured"
Use this skill only for tasks where browser automation is intended, and require manual confirmation for sensitive actions such as purchases, account changes, messages, or data exports.
You are trusting the remote installer, external CLI, and browser extension in addition to this plugin.
The recommended setup executes a remote installer that downloads the CLI and Chrome extension; this is disclosed, but the downloaded code is outside the provided review artifacts.
curl -fsSL https://api.omb.org.cn/install | bash ... irm https://api.omb.org.cn/install | iex
Review the installer source, verify the publisher/domain, and prefer pinned or checksum-verified downloads before installation.
The installed omb binary will handle the actual browser-control workflow, so its behavior and updates matter for security.
The plugin starts an external omb CLI subprocess. This matches the documented architecture, but it means the reviewed plugin delegates most browser-control behavior to external executable code.
const child = spawn(ombPath, ["--mcp", "--auth-dir", this.authDir], { stdio: ["pipe", "pipe", "pipe"] });Ensure the omb binary comes from a trusted source and avoid setting OMB_PATH to an untrusted executable.
Private page contents or browser interaction details may pass through the CLI/API/extension bridge before reaching the agent.
Authenticated page content and browser actions flow through a multi-component bridge. The artifacts describe the path but do not fully explain data retention, transport boundaries, or whether any content leaves the local machine.
Agent --> oh-my-browser plugin --> omb CLI (subprocess) --> API --> your Chrome extension
Confirm the service's privacy model and data handling before using it on sensitive pages or internal systems.
Browser-control capability may be re-established automatically during the active agent session after a crash.
The bridge automatically restarts the omb subprocess after exits while the plugin is active. This appears to be reliability behavior, not hidden persistence.
var RESTART_DELAYS = [1e3, 2e3, 5e3]; ... this.spawnProc(ombPath); this.initialize()
Stop or disable the plugin/gateway when you no longer want the agent to have browser-control access.