Browser Use
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
Browser Use is a coherent browser-automation skill, but it can control logged-in browser sessions, handle cookies, use persistent cloud browsers, and run raw CDP/Python commands without tight approval boundaries.
Install only if you trust the browser-use CLI and need powerful browser automation. Prefer an isolated browser profile, avoid connecting your real Chrome profile or exporting cookies unless explicitly necessary, be cautious with cloud mode for sensitive accounts, and close all sessions after use.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could browse and act as the logged-in user, access session cookies, or affect third-party accounts if commands are run in a real Chrome profile.
The skill documents attaching automation to the user's authenticated Chrome session and exporting cookies, which can expose or use account sessions beyond ordinary unauthenticated browsing.
`browser-use connect` # Connect to user's Chrome (preserves logins/cookies) ... `browser-use cookies export <file>`
Use an isolated or throwaway browser profile by default. Require explicit user approval before connecting to the user's real Chrome profile, using a named profile, or getting/exporting/importing cookies.
A mistaken or overbroad agent action could inspect cookies, manipulate tabs, intercept network activity, or perform browser actions that the user did not intend.
The references expose a raw CDP escape hatch that bypasses the safer scoped browser-use commands and can perform broad browser-level operations.
`browser._session` — the raw `BrowserSession` with full CDP client access ... All CDP domains are available via `cdp.cdp_client.send.<Domain>.<method>()`
Prefer the scoped CLI commands. Treat raw CDP, REST passthrough, and low-level browser internals as advanced operations that require clear user intent and review.
If the agent runs generated or unreviewed Python statements, it may execute unintended logic in the local browser automation environment.
The skill documents dynamic Python execution with persistent state inside the browser-use session, which is broader than ordinary click/type/screenshot automation.
`browser-use python "statement"` executes one Python statement per call. Variables persist across calls.
Do not allow arbitrary Python snippets unless necessary. Ask the user before running browser-use python commands and keep snippets narrowly scoped to the requested browser task.
Browsing data, session state, screenshots, or form contents may be processed in a remote browser environment when cloud mode is used.
Cloud mode sends browser activity to an external browser provider and keeps a persistent remote profile, which is disclosed but sensitive.
`browser-use cloud connect` # Cloud browser (zero-config, requires API key) ... `cloud connect` provisions a cloud browser with a persistent profile ... prints a live URL.
Use cloud mode only for data you are comfortable processing remotely. Avoid logging into sensitive accounts in the cloud browser unless you understand the provider and profile retention behavior.
A browser session may remain open with tabs, cookies, or authenticated state after a task unless closed.
The skill intentionally keeps browser automation sessions alive across commands; this is disclosed and useful for the purpose, but it is persistent behavior users should notice.
A background daemon keeps the browser open across commands ... browser stays open between commands.
Run `browser-use close` or `browser-use close --all` after sensitive tasks, and avoid leaving authenticated sessions open longer than needed.
The safety of the skill depends partly on which `browser-use` binary is installed on the user's machine.
The skill depends on an external `browser-use` CLI but does not include code, an install spec, or a declared homepage in the registry metadata, so the actual executable is outside this artifact review.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Install the browser-use CLI only from a trusted source, verify the command you have installed, and avoid using an unexpected or untrusted binary with this skill.