Skillv1.0.0

ClawScan security

Agent Browser Clawdbot Rose · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 26, 2026, 6:01 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with a headless-browser CLI: its instructions, commands, and optional install steps line up with the stated purpose, but installing the referenced CLI (npm) and saving/loading auth state involve normal-but-sensitive actions you should review before use.
Guidance: This skill appears to do what it says: drive a headless browser via the agent-browser CLI. Before installing or using it: - Verify the CLI source: confirm the npm package and the GitHub repo (https://github.com/vercel-labs/agent-browser) are the legitimate upstream projects you expect. - Install in a controlled environment: `npm install -g` and the CLI's `install` command may run install scripts and will download Chromium; prefer testing in a container or VM if you have security concerns. - Treat saved state files (auth.json, admin-auth.json) as sensitive: they can contain cookies/session tokens. Do not load production auth files into untrusted agents or share them. - Check postinstall scripts: inspect the package on npm (or its repo) for unexpected postinstall behavior before running global install. - Network-control and mocking features are powerful: they give the tool the ability to modify requests/responses — use them only with consent and in test environments. If you want higher assurance, ask the publisher to provide the exact npm package name and the package.json / postinstall script, or vendor the CLI binary from a known release and install it manually.

Review Dimensions

Purpose & Capability: okThe name/description match the SKILL.md: it documents a CLI named agent-browser for headless browser automation with snapshots, refs, sessions, and state. There are no unrelated credential requests or unrelated binaries declared.
Instruction Scope: noteInstructions are narrowly focused on invoking the agent-browser CLI, taking snapshots, interacting by refs, controlling network, and saving/loading browser state. They do instruct the agent (user) to save/load auth state files (e.g., auth.json, admin-auth.json), use session env var AGENT_BROWSER_SESSION, and to download Chromium via the CLI — all expected for a browser automation tool but involving sensitive session data. The instructions do not ask to read arbitrary system files or to transmit data to unknown external endpoints beyond the browser/network ops the tool provides.
Install Mechanism: concernThere is no platform install spec in the registry (skill is instruction-only), but SKILL.md tells users to run `npm install -g agent-browser` and `agent-browser install` (which downloads Chromium). Installing an npm package globally can run postinstall scripts and the CLI's install command will fetch a browser binary — this is a moderate risk and should be done from a trusted source and ideally in an isolated environment.
Credentials: noteThe skill declares no required env vars or credentials; the only environment usage documented is the optional AGENT_BROWSER_SESSION. However, the skill explicitly instructs saving and loading auth/state files (cookies/storage), which may contain sensitive session credentials. This is proportionate to a browser automation tool but users must handle those files carefully.
Persistence & Privilege: okThe skill does not request always:true and does not suggest modifying agent/system-wide configs. It is user-invocable and does not ask for permanent platform presence.