ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Browser Automation

Automate web browser interactions using natural language via CLI commands. Use when the user asks to browse websites, navigate web pages, extract data from websites, take screenshots, fill forms, click buttons, or interact with web applications.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
37 · 24.8k · 331 current installs · 346 all-time installs
by@peytoncasper
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The described purpose (browser automation) matches the instructions (navigate, act, extract, screenshot). However the metadata declares no required environment variables or binaries while the docs and setup.json explicitly ask for ANTHROPIC_API_KEY, optionally Browserbase API keys, Chrome, and npm-installed dependencies. That omission is an incoherence: a legitimate implementation would declare those requirements.
!
Instruction Scope
SKILL.md/REFERENCE instruct the agent to read .env, use an existing Chrome user profile (.chrome-profile/), save downloads to ./agent/downloads/, and automatically choose remote Browserbase if BROWSERBASE_* keys exist — selection is 'no user prompting'. Those instructions access and persist potentially sensitive data (cookies, sessions, downloads, API keys) and can send traffic to a remote service. The docs also claim use of Anthropic/Claude model which requires an API key. The instructions therefore extend beyond simple page navigation into handling credentials and persistent profiles.
!
Install Mechanism
The registry shows no install spec (instruction-only), yet setup.json and SKILL.md instruct running `npm install` and `npm link` to create a global 'browser' command. Moreover the skill references source (src/cli.ts) and npm dependencies but no code files or package manifest are present in the package. This mismatch is a red flag — either code is missing from the published bundle or the docs are for an external tool not actually packaged here.
!
Credentials
The skill metadata lists no required env vars, but setup/docs require ANTHROPIC_API_KEY and optionally BROWSERBASE_API_KEY and BROWSERBASE_PROJECT_ID. These keys are proportionate to using an LLM backend and a remote browser service, but they are not declared in the skill metadata. Additionally, persisting a Chrome profile and downloads can expose sensitive session cookies or downloaded files; that persistence should be explicit in metadata and user warnings.
!
Persistence & Privilege
The tool is not marked always:true, but the docs intentionally persist .chrome-profile/ and ./agent/downloads/ and recommend preserving session cookies. Persisting profiles and downloads is functionally reasonable for a browser automation tool, but combined with automatic, non-prompted selection of remote mode (if keys are present) and 'stealth' / proxy capabilities in Browserbase mode, this increases the risk surface and should be made explicit to users.
What to consider before installing
Do not install or run the npm commands from this package yet. Key concerns: (1) The package metadata claims no required env vars or binaries, but the docs and setup.json require ANTHROPIC_API_KEY, optional Browserbase API keys, Chrome, and npm dependencies — this inconsistency suggests the published bundle is incomplete or mislabeled. (2) The tool preserves a Chrome profile and saves downloads locally (./agent/downloads/), which can retain cookies, active sessions, and downloaded files — consider privacy implications. (3) Browserbase/remote mode would send browsing activity and page contents to a remote service if BROWSERBASE_* keys are present; the skill claims it will switch to that mode automatically without prompting. (4) The docs instruct running `npm install` and `npm link` for a global CLI but no source/package files are present in the bundle; running these commands from an unknown source could install arbitrary code. Before proceeding, ask the publisher for: (a) the source repository or a verified release tarball (ideally GitHub or official domain), (b) a package.json and full source to inspect, (c) corrected registry metadata that lists required env vars and permissions, and (d) details about what Browserbase is, its privacy policy, and where remote traffic is sent. If you must test: run in an isolated VM/container, do not reuse real browser profiles or credentials, and never expose real ANTHROPIC_API_KEY or other secrets until you have verified the code and origin.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk97bbx0w2aszfshcnx06qnq1w180khae

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Browser Automation

Automate browser interactions using Stagehand CLI with Claude.

First: Environment Selection (Local vs Remote)

The skill automatically selects between local and remote browser environments:

  • If Browserbase API keys exist (BROWSERBASE_API_KEY and BROWSERBASE_PROJECT_ID in .env file): Uses remote Browserbase environment
  • If no Browserbase API keys: Falls back to local Chrome browser
  • No user prompting: The selection happens automatically based on available configuration

Setup (First Time Only)

Check setup.json in this directory. If setupComplete: false:

npm install    # Install dependencies
npm link       # Create global 'browser' command

Commands

All commands work identically in both modes:

browser navigate <url>                    # Go to URL
browser act "<action>"                    # Natural language action
browser extract "<instruction>" ['{}']    # Extract data (optional schema)
browser observe "<query>"                 # Discover elements
browser screenshot                        # Take screenshot
browser close                             # Close browser

Quick Example

browser navigate https://example.com
browser act "click the Sign In button"
browser extract "get the page title"
browser close

Mode Comparison

FeatureLocalBrowserbase
SpeedFasterSlightly slower
SetupChrome requiredAPI key required
Stealth modeNoYes
Proxy/CAPTCHANoYes
Best forDevelopmentProduction/scraping

Best Practices

  1. Always navigate first before interacting
  2. View screenshots after each command to verify
  3. Be specific in action descriptions
  4. Close browser when done

Troubleshooting

  • Chrome not found: Install Chrome or use Browserbase mode
  • Action fails: Use browser observe to discover available elements
  • Browserbase fails: Verify API key and project ID are set

For detailed examples, see EXAMPLES.md. For API reference, see REFERENCE.md.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…