tappi
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
tappi is a disclosed browser-control CLI, but it gives an agent broad control over your logged-in Chrome session, including uploads, JavaScript eval, and CAPTCHA/iframe coordinate clicks.
Use this only if you are comfortable letting an agent control a browser profile. Prefer a separate, non-personal Chrome profile; keep the CDP endpoint local; do not use it for CAPTCHA bypass; and require explicit confirmation before uploads, posts, purchases, account changes, or any action on sensitive logged-in sites.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill can act as you on websites where the controlled browser is already signed in, potentially changing account, business, or public-facing data.
The skill uses the browser's existing logged-in session authority rather than a narrowly scoped service token or per-site credential boundary.
Requires a Chrome/Chromium browser running with --remote-debugging-port ... Signed-in sessions carry over automatically.
Use a separate browser profile or test account, keep the CDP port local, and require explicit approval before the agent performs account-changing actions.
A mistaken or overzealous agent action could submit forms, upload local files, click sensitive controls, or interact with CAPTCHA/iframe UI in your active browser session.
The documented commands provide raw browser actions that can bypass normal UI friction and operate on arbitrary sites, with no artifact-backed limits or approval policy.
bjs upload <path> [selector] Upload file to input (bypasses OS dialog) ... Coordinate commands (cross-origin iframes, captchas, overlays)
Limit use to trusted, user-specified tasks; avoid using it for CAPTCHA/bot-protection interactions; and add confirmation requirements for uploads, submissions, purchases, posts, or account changes.
Bad or unreviewed JavaScript could read or modify page state and trigger actions inside a signed-in website.
The skill explicitly exposes arbitrary JavaScript execution in the active page context, which is powerful in logged-in pages even though it is documented as a last resort.
bjs eval <js> [Low-level] Run JavaScript. Last resort when smart actions can't solve the problem.
Prefer the higher-level click/type/text commands and only use `eval` when the exact JavaScript has been reviewed for the current page.
Installing dependencies changes the local environment and relies on npm package provenance.
The skill relies on an npm dependency for WebSocket CDP access; a package-lock with integrity is present, but the registry install metadata is sparse and the dependency range should be installed with the lockfile honored.
"dependencies": { "ws": "^8.19.0" }Install from the intended `scripts/` directory, prefer `npm ci` so the lockfile is used, and verify the package source before giving it access to logged-in browser sessions.