ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stagehand Browser CLI

Automate web browser interactions using natural language via CLI commands. Use when the user asks to browse websites, navigate web pages, extract data from websites, take screenshots, fill forms, click buttons, or interact with web applications.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 4.9k · 41 current installs · 44 all-time installs
by@peytoncasper
duplicate of @peytoncasper/browser-automation
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The declared purpose (browser automation via a CLI) is coherent with the instructions (commands like browser navigate/act/extract). However the registry metadata claims no required env or binaries, while the docs repeatedly require Chrome, an Anthropic model API key (ANTHROPIC_API_KEY) and optionally Browserbase keys (BROWSERBASE_API_KEY, BROWSERBASE_PROJECT_ID). The package omits the code files (no src/, no package.json) that the docs reference (e.g. src/cli.ts), so the claimed capability cannot be fulfilled by the files present.
!
Instruction Scope
SKILL.md and REFERENCE.md instruct the agent to run npm install and npm link, inspect .env for API keys, launch Chrome with a persistent profile (.chrome-profile/) and write downloads/screenshots into ./agent/... — these steps read and persist user data (profile, cookies, downloads) and could access sensitive data beyond a minimal browsing task. The skill also states selection between 'Browserbase' remote mode and local Chrome happens automatically (no user prompting), which implies the agent will check local configuration files and environment without explicit consent.
!
Install Mechanism
There is no formal install spec in the registry, but the runtime instructions tell the agent to run 'npm install' and 'npm link' if setupComplete is false. Since this skill bundle does not include the referenced source or package.json, those commands would either fail or pull/execute code from the current directory/environment — a risky implicit install path. Instruction-driven installs (npm install) are higher risk when package sources and checksums are not included or verifiable.
!
Credentials
The registry declares no required env vars, but setup.json and REFERENCE.md require ANTHROPIC_API_KEY and SKILL.md mentions optional Browserbase keys (BROWSERBASE_API_KEY, BROWSERBASE_PROJECT_ID). That inconsistency is problematic: the skill will attempt to read secrets that are not declared to the platform. Additionally, the use of a persistent Chrome profile means site cookies and sessions could be reused or inspected, which is sensitive and exceeds the minimal needs for ephemeral browsing tasks.
Persistence & Privilege
The skill is not marked 'always:true' and does not request special platform privileges. However it instructs creation/use of persistent artifacts (.chrome-profile, ./agent/downloads, ./agent/browser_screenshots) which persist across runs and can store cookies, session tokens, and downloaded files. Autonomous invocation is allowed (platform default); combined with file-system persistence this increases blast radius if the skill behaves unexpectedly.
What to consider before installing
Do not install or run this skill yet. The package lacks the code and package metadata the docs reference (no src/, no package.json), and the registry metadata does not declare the API keys and Chrome dependency that the instructions require — this mismatch could cause accidental npm installs or reading of local .env/.chrome-profile data. Ask the author for a complete release (source files or a verified install artifact and package.json), and insist they update the registry to declare required env vars (ANTHROPIC_API_KEY, optional Browserbase keys) and any binaries. Before running, review the actual code, prefer running in an isolated VM/container, avoid pointing it at your real Chrome profile, and never expose API keys or secrets until you verify the source. If you must test, use a disposable profile and do not run npm install in a sensitive directory.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97bbmrdhgk64bx4zjqnk3k0dd80j6g8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Browser Automation

Automate browser interactions using Stagehand CLI with Claude.

First: Environment Selection (Local vs Remote)

The skill automatically selects between local and remote browser environments:

  • If Browserbase API keys exist (BROWSERBASE_API_KEY and BROWSERBASE_PROJECT_ID in .env file): Uses remote Browserbase environment
  • If no Browserbase API keys: Falls back to local Chrome browser
  • No user prompting: The selection happens automatically based on available configuration

Setup (First Time Only)

Check setup.json in this directory. If setupComplete: false:

npm install    # Install dependencies
npm link       # Create global 'browser' command

Commands

All commands work identically in both modes:

browser navigate <url>                    # Go to URL
browser act "<action>"                    # Natural language action
browser extract "<instruction>" ['{}']    # Extract data (optional schema)
browser observe "<query>"                 # Discover elements
browser screenshot                        # Take screenshot
browser close                             # Close browser

Quick Example

browser navigate https://example.com
browser act "click the Sign In button"
browser extract "get the page title"
browser close

Mode Comparison

FeatureLocalBrowserbase
SpeedFasterSlightly slower
SetupChrome requiredAPI key required
Stealth modeNoYes
Proxy/CAPTCHANoYes
Best forDevelopmentProduction/scraping

Best Practices

  1. Always navigate first before interacting
  2. View screenshots after each command to verify
  3. Be specific in action descriptions
  4. Close browser when done

Troubleshooting

  • Chrome not found: Install Chrome or use Browserbase mode
  • Action fails: Use browser observe to discover available elements
  • Browserbase fails: Verify API key and project ID are set

For detailed examples, see EXAMPLES.md. For API reference, see REFERENCE.md.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…