v0.1.0

Browserless Agent

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:25 AM.

Analysis

This appears to be a legitimate browser automation skill, but it gives the agent broad control over websites and may expose sensitive form input in logs despite privacy claims.

GuidanceReview this skill carefully before installing. It is useful for web automation, scraping, screenshots, and testing, but it gives the agent powerful website-control abilities. Avoid using it on sensitive accounts unless you supervise actions, redact secrets, and trust the configured Browserless endpoint.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Professional web automation ... interact with any website ... Form Automation ... upload files ... Network Control ... Storage Access

The skill intentionally exposes broad browser actions across arbitrary websites, including inputs, uploads, storage, and network controls. The artifacts do not describe scoping or confirmation requirements for high-impact website mutations.

User impactAn agent using this skill could click buttons, submit forms, change website state, upload files, or manipulate session data on sites you visit through it.

RecommendationInstall only if you want broad browser-control authority. Use it for clearly specified tasks, avoid sensitive accounts unless necessary, and require manual confirmation before submissions, purchases, uploads, or account changes.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

README.md

`evaluate` / `evaluate_function` - Run JavaScript

Running JavaScript in the page is a disclosed feature and is purpose-aligned for browser automation, but it is a powerful escape-hatch capability that can affect the current web page and session.

User impactJavaScript execution can read or modify page content and interact with the active browser session for the current site.

RecommendationUse JavaScript evaluation only for trusted, task-specific automation and avoid running snippets from untrusted web pages or messages.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

main.py

print(f"Typing '{text}' into selector: {selector}", file=sys.stderr) ... return {"status": "success", "action": "type_text", "selector": selector, "text": text}

The code logs and returns the full text typed into a page. This conflicts with the documentation's broad security claim that credentials are never logged, because typed form values may include passwords, tokens, or other secrets.

User impactSensitive values entered into forms may appear in logs or agent-visible outputs.

RecommendationDo not use this skill to type passwords, tokens, or private form values unless logging is removed or redacted. Prefer secrets managers or manual entry for sensitive credentials.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

requirements.txt

playwright

The dependency is not version-pinned. Installing an unpinned package is common for simple Python projects, but it means future installs may resolve to different package versions.

User impactA later installation could pull a different Playwright version than the one the author tested.

RecommendationPin dependency versions or install in an isolated environment before using the skill for important workflows.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

main.py

BROWSERLESS_TOKEN = os.environ.get("BROWSERLESS_TOKEN") ... url = f"{url}{separator}token={BROWSERLESS_TOKEN}"

The skill uses an optional Browserless authentication token and appends it to the WebSocket connection URL. This is expected for Browserless, but it is delegated service access that users should treat as a credential.

User impactAnyone with the configured token may be able to use your Browserless service quota or access that service under your account.

RecommendationStore the token only in secure environment storage, use least-privilege or separate tokens where possible, and rotate it if exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

README.md

Cloud Service (with token): BROWSERLESS_URL=wss://chrome.browserless.io ... Get your Browserless service at browserless.io

The skill connects to an external Browserless provider when configured that way. Browser actions, page content, screenshots, and form interactions may be processed by that provider.

User impactYour browsing automation data may pass through a third-party browser infrastructure service.

RecommendationUse a Browserless provider you trust, prefer `wss://`, and consider a self-hosted instance for sensitive browsing or internal websites.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

README.md

Storage & Cookies ... `get_cookies` / `set_cookie` / `delete_cookies` ... `get_local_storage` / `set_local_storage` / `clear_local_storage`

Cookie and web-storage access is disclosed and useful for automation, but it can expose or alter session-related browser state during multi-step tasks.

User impactSession data from one automated browsing task could influence later actions in the same browser context.

RecommendationUse separate browser contexts or clear cookies/storage between unrelated tasks, especially when working with logged-in or sensitive sites.