ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nextbrowser

v1.0.22

Use Nextbrowser cloud API to spin up cloud browsers for Openclaw to run autonomous browser tasks. Primary use is creating browser sessions with profiles (per...

17· 3.1k·3 current·3 all-time
byArtem Popov@highxshell
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md describes spinning up cloud browsers, profiles, proxies, and credential management against nextbrowser API endpoints — these capabilities align with the stated purpose.
Instruction Scope
Instructions only call Nextbrowser endpoints (app.nextbrowser.com) and describe profile, proxy, and credentials operations which are expected. However, the SKILL.md instructs the agent to read an OpenClaw config path (skills.entries.next-browser.apiKey) for the API key — that access was not declared in the registry metadata and should have been.
Install Mechanism
Instruction-only skill with no install steps or downloads — minimal disk/write risk.
!
Credentials
No env vars or config paths are declared in the registry metadata, yet the runtime docs require an API key stored in OpenClaw config. The skill will cause user account credentials, proxy credentials, and persistent browser profile data to be sent to Nextbrowser (expected for this functionality) — ensure you trust the external service before supplying sensitive data.
Persistence & Privilege
always:false and default autonomous invocation settings. The skill does not request permanent system-wide presence or modify other skills; normal autonomous invocation capability applies.
What to consider before installing
This skill appears to do what it says (manage cloud browser sessions, profiles, proxies). Before installing: 1) Note the SKILL.md reads your OpenClaw config key at skills.entries.next-browser.apiKey but the registry metadata does not list that config path — ask the publisher to declare it. 2) Only provide a Nextbrowser API key you trust and consider creating a dedicated, limited key for this skill. 3) Understand that browser profiles and credential entries (cookies, logins, proxy usernames/passwords) will be stored or transmitted to Nextbrowser — do not upload secrets you wouldn't want the external service to see. 4) If you plan to allow autonomous agent runs, remember the agent can use these browser sessions to act on your accounts; limit scope and monitor activity. 5) Verify Nextbrowser's real domain and privacy/security docs (docs.nextbrowser.com and app.nextbrowser.com) and confirm account retention/purge policies. If the publisher can update the skill metadata to declare the config path (or require an explicit env var) and document the exact data flows, this lowers the risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk974vk986zfa7esbhayjw0v85x840sxn
3.1kdownloads
17stars
22versions
Updated 5h ago
v1.0.22
MIT-0
Artem Popov@highxshell
latest
Download

Nextbrowser

Nextbrowser provides cloud browsers and autonomous browser automation via API.

Docs:

Setup

API Key is read from openclaw config at skills.entries.next-browser.apiKey.

If not configured, tell the user:

To use Nextbrowser, you need an API key. Get one at https://app.nextbrowser.com/user-settings (new signups get 2000 free credits). Then configure it:

openclaw config set skills.entries.next-browser.apiKey "YOUR_API_KEY"

Important: Nextbrowser API keys can have various formats and prefixes. Do NOT validate the key format yourself - simply use whatever key the user provides. If the key is invalid, the API will return an authentication error, and only then should you ask the user to verify their key.

Base URL: https://app.nextbrowser.com/api/v1

All requests need header: Authorization: x-api-key <apiKey>

1. Credentials Manager

The Credentials Manager securely stores and reuses authentication data across browser runs and autonomous tasks.

# List credentials
curl "https://app.nextbrowser.com/api/v1/users/credentials" -H "Authorization: x-api-key $API_KEY"

2. Profiles

Profiles persist cookies and login state across browser sessions. Create one, log into your accounts in the browser, and reuse it.

# List profiles
curl "https://app.nextbrowser.com/api/v1/browser/profiles" -H "Authorization: x-api-key $API_KEY"

# Create browser profile
curl -X POST "https://app.nextbrowser.com/api/v1/browser/profiles" \
  -H "Authorization: x-api-key $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "<profile-name>", "browser_settings": {"os_type": "<os-type>", "browser_type": "chrome"},
   "proxy_settings":{"protocol":"<http|socks5>","country":"<iso-2-country-code>","mode":"built-in"},
   "credentials": ["<credential-id>"]}'

# Create browser profile with custom proxy
curl -X POST "https://app.nextbrowser.com/api/v1/browser/profiles" \
  -H "Authorization: x-api-key $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "<profile-name>", "browser_settings": {"os_type": "<os-type>", "browser_type": "chrome"},
   "proxy_settings":{"mode":"custom","protocol":"<http|https|socks5>","host":"<proxy-host>","port":<proxy-port>,"username":"<proxy-username>","password":"<proxy-password>"},
   "credentials": ["<credential-id>"]}'

# Delete profile
curl -X DELETE "https://app.nextbrowser.com/api/v1/browser/profiles/<profile-id>" \
  -H "Authorization: x-api-key $API_KEY"

# Start browser for profile (creates browser instance)
curl -X POST "https://app.nextbrowser.com/api/v1/browser/profiles/<profile-id>/start" \
  -H "Authorization: x-api-key $API_KEY"

# Get profile details (check status after start)
curl "https://app.nextbrowser.com/api/v1/browser/profiles/<profile-id>" \
  -H "Authorization: x-api-key $API_KEY"

# Stop browser for profile
curl -X PUT "https://app.nextbrowser.com/api/v1/browser/profiles/<profile-id>/stop" \
  -H "Authorization: x-api-key $API_KEY"

OS type: browser_settings.os_type defines the operating system fingerprint used by the browser. Supported values are windows, linux, macos, and android. If not provided, it defaults to linux.

Proxy modes: The proxy_settings.mode field controls which proxy is used:

  • built-in (default): Uses Nextbrowser's residential proxies. Specify country (ISO-2 code), and optionally region, city, isp, and proxy_type to narrow the location. Use the Locations endpoints (section 3) to discover available values.
  • custom: Uses your own proxy server. All five fields are required: protocol (http, https, or socks5), host, port, username, and password. The country/region/city/isp fields are ignored in custom mode.

Important: After creating a new profile (or recreating one, e.g. to change country), you must call the start endpoint to create a browser instance for it. Tasks will fail if the profile has no running browser.

Start/stop flow: After calling /start, poll GET /browser/profiles/<profile-id> until status becomes active. Only then proceed with tasks or call /stop when done.

3. Locations

The Locations endpoints provide available geolocation metadata for proxy and browser configuration. Use them to dynamically discover supported countries, regions, cities, and ISPs before creating profiles or running tasks under specific network conditions.

# List Countries
curl "https://app.nextbrowser.com/api/v1/location/countries?\
limit=<limit>&\
offset=<offset>&\
name=<name>&\
code=<iso2-code>&\
connection_type=<connection-type>" \
  -H "Authorization: x-api-key $API_KEY"

# List Regions
curl "https://app.nextbrowser.com/api/v1/location/regions?\
country__code=<iso2-country>&\
limit=<limit>&\
offset=<offset>&\
name=<name>&\
code=<region-code>&\
city__code=<city-code>&\
connection_type=<connection-type>" \
  -H "Authorization: x-api-key $API_KEY"

# List Cities
curl "https://app.nextbrowser.com/api/v1/location/cities?\
country__code=<iso2-country>&\
limit=<limit>&\
offset=<offset>&\
name=<name>&\
code=<city-code>&\
region__code=<region-code>&\
connection_type=<connection-type>" \
  -H "Authorization: x-api-key $API_KEY"

# List ISPs
curl "https://app.nextbrowser.com/api/v1/location/isps?\
country__code=<iso2-country>&\
limit=<limit>&\
offset=<offset>&\
name=<name>&\
code=<isp-code>&\
region__code=<region-code>&\
city__code=<city-code>&\
connection_type=<connection-type>" \
  -H "Authorization: x-api-key $API_KEY"

4. Tasks (Subagent)

Run autonomous browser tasks - like a subagent that handles browser interactions for you. Give it a prompt and it completes the task.

Always use fast mode - optimized for browser tasks, 3-5x faster than other models. Always use true for skip_plan_approval - optimized for automated tasks, skips the approval and improve performance.

curl -X POST "https://app.nextbrowser.com/api/v1/chat/tasks" \
  -H "Authorization: x-api-key $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "task_description": "'"\
Go to Reddit.com account, check if the account is logged in (if not, use credentials stored). \
Find 10 relevant posts on the topic of AI Agents, upvote 8 of them and post 3 witty-sounding comments \
that a cynical and funny Reddit user would post. Ensure that the comment is posted, ask for approval \
if you are not sure whether such comment is okay. By the end, you should have at least 10 relevant posts \
viewed, 8 upvotes, and 3 comments."\
"'",
    "mode": "fast",
    "profile_id": "<profile-id>",
    "skip_plan_approval": true,
    "send_email_notification": false,
    "attached_files": ["<file-name-1>", "<file-name-2>"]
  }'

Endpoint: Stop chat session and task

The chat-session-id is returned in the response of - POST /api/v1/chat/tasks

curl -X PUT "https://app.nextbrowser.com/api/v1/chat/sessions/<chat-session-id>/stop" \
  -H "Authorization: x-api-key $API_KEY"

Endpoint: Poll for completion

curl "https://app.nextbrowser.com/api/v1/chat/tasks/<task-id>" \
  -H "Authorization: x-api-key $API_KEY"

curl "https://app.nextbrowser.com/api/v1/chat/tasks/<task-id>?from_step=3" \
  -H "Authorization: x-api-key $API_KEY"
  • Query params (optional):
    • from_step: integer >= 1. First step index to return. Defaults to 1 if missing/invalid. Use this parameter to poll only new steps.

Response

{
  "success": true,
  "payload": {
    "status": "finished",
    "output": "Task completed. 10 relevant posts are viewed, 8 upvotes are done and 3 comments posted.",
    "isSuccess": true,
    "steps": [
      {
        "created_at": "2025-01-01T10:00:00Z",
        "finished_at": "2025-01-01T10:00:05Z",
        "description": "Opened Reddit search page",
        "status": "completed",
        "step_number": 1
      }
      // ... more steps starting from from_step
    ],
    "total_steps": 5
  },
  "errors": {},
  "description": "Task retrieved successfully"
}

Field semantics

  • status: high-level task status: "processing" | "finished" | "failed".
  • output: final task output (if available).
  • isSuccess: true if task finished successfully, otherwise false.
  • steps: list of task steps starting from from_step (or from 1 by default).
  • step_number: sequential number of the step within the task, always starting at 1 in this array.
  • total_steps: total number of steps the task has, independent of from_step.

Task options

OptionDescription
task_descriptionYour prompt (required)
modeAlways use fast
profile_idUse a profile for auth
skip_plan_approvalAlways use true
send_email_notificationIf true, a completion email will be sent for the task.
attached_filesList of uploaded file names for this task (e.g. ["report.pdf", "data.csv"]). Optional.

Comments

Loading comments...