ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

browser-automation

v1.0.0

Automate web browser interactions using natural language via CLI commands. Use when the user asks to browse websites, navigate web pages, extract data from w...

0· 76·0 current·0 all-time
by@tobeyrebecca

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for tobeyrebecca/toby-browser-automation.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "browser-automation" (tobeyrebecca/toby-browser-automation) from ClawHub.
Skill page: https://clawhub.ai/tobeyrebecca/toby-browser-automation
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install toby-browser-automation

ClawHub CLI

Package manager switcher

npx clawhub@latest install toby-browser-automation
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The declared purpose (browser automation) matches the instructions (CLI commands to navigate, act, extract, screenshot, etc.). However the package metadata claims no required env vars while SKILL.md and setup.json reference SKILLBOSS_API_KEY; that metadata mismatch is incoherent. The skill also expects Chrome and a globally linked 'browser' CLI which is reasonable for a CLI tool but may be disproportionate if a lightweight instruction-only adapter was intended.
!
Instruction Scope
SKILL.md tells the agent/user to run npm install and npm link (writes to disk and creates a global binary), to launch Chrome with a persistent profile (.chrome-profile) and remote debugging, and to route AI-driven actions via SkillBoss API Hub. Those instructions enable persistent storage of cookies/sessions and automatic downloads to ./agent/downloads, and they imply that page content and extracted data may be sent to an external model API. The automatic mode selection 'no user prompting' (local vs remote) and lack of clarity about what page data is transmitted are scope/privilege concerns.
Install Mechanism
There is no registry install spec (skill is instruction-only), but SKILL.md instructs the user to run 'npm install' and 'npm link' in the skill directory. That requires building artifacts locally and will create a global 'browser' command which can override existing binaries — a benign action for a CLI but worth flagging because it changes system state and can shadow other tools.
!
Credentials
The skill references SKILLBOSS_API_KEY (frontmatter and setup.json) even though registry metadata lists no required env vars, an inconsistency. Using a third‑party API hub for AI-driven element selection/extraction implies that scraped page content (possibly including form fields, screenshots, and cookies) could be sent to that external service — a high-impact data flow that must be justified and consented to. The skill recommends storing the API key in .env or exporting it globally, which increases risk if the remote service receives sensitive page data.
Persistence & Privilege
The skill uses a persistent Chrome profile (.chrome-profile) and a downloads directory (./agent/downloads), which intentionally preserves session cookies and downloaded files between runs. 'always' is false and the skill does not request system-wide config changes beyond creating a global CLI via npm link, but persistent browser state plus remote routing increases the chance of leaking long-lived credentials or session cookies.
What to consider before installing
This skill appears to do real browser automation but has several red flags. Before installing or running it: (1) confirm the registry metadata vs SKILL.md inconsistency for SKILLBOSS_API_KEY — ask the author whether remote mode is optional and what data is sent to the SkillBoss API Hub; (2) avoid adding your real credentials or visiting sensitive accounts while testing — the skill preserves a Chrome profile and may upload page content to a third-party model; (3) be cautious running 'npm link' because it creates a global 'browser' command that can shadow other binaries — consider running in a disposable VM/container or using a local-only install; (4) if you must use remote mode, request a privacy/security policy from the service describing retention and exactly what is transmitted; (5) prefer using the tool with an ephemeral profile and non-sensitive test sites until you have audited the code or obtained clearer assurances from the author.

Like a lobster shell, security has layers — review code before you run it.

aivk977bsft5vr6dz3s3fpffqpjq984tej9automationvk977bsft5vr6dz3s3fpffqpjq984tej9latestvk977bsft5vr6dz3s3fpffqpjq984tej9
76downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@tobeyrebecca
aiautomationlatest
Download

📖 Complete setup guide: https://skillboss.co/skill.md

Browser Automation

Automate browser interactions using Stagehand CLI with SkillBoss API Hub.

First: Environment Selection (Local vs Remote)

The skill automatically selects between local and remote browser environments:

  • If SKILLBOSS_API_KEY exists (SKILLBOSS_API_KEY in .env file): Uses SkillBoss API Hub remote mode
  • If no SKILLBOSS_API_KEY: Falls back to local Chrome browser
  • No user prompting: The selection happens automatically based on available configuration

Setup (First Time Only)

Check setup.json in this directory. If setupComplete: false:

npm install    # Install dependencies
npm link       # Create global 'browser' command

Commands

All commands work identically in both modes:

browser navigate <url>                    # Go to URL
browser act "<action>"                    # Natural language action
browser extract "<instruction>" ['{}']    # Extract data (optional schema)
browser observe "<query>"                 # Discover elements
browser screenshot                        # Take screenshot
browser close                             # Close browser

Quick Example

browser navigate https://example.com
browser act "click the Sign In button"
browser extract "get the page title"
browser close

Mode Comparison

FeatureLocalSkillBoss API Hub
SpeedFasterSlightly slower
SetupChrome requiredSKILLBOSS_API_KEY required
Stealth modeNoYes
Proxy/CAPTCHANoYes
Best forDevelopmentProduction/scraping

Best Practices

  1. Always navigate first before interacting
  2. View screenshots after each command to verify
  3. Be specific in action descriptions
  4. Close browser when done

Troubleshooting

  • Chrome not found: Install Chrome or use SkillBoss API Hub remote mode
  • Action fails: Use browser observe to discover available elements
  • Remote mode fails: Verify SKILLBOSS_API_KEY is set

For detailed examples, see EXAMPLES.md. For API reference, see REFERENCE.md.

Comments

Loading comments...