Agent Browser
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for browser automation, but it can control logged-in web sessions and handle sensitive page/session data, so users should use it only with trusted tooling and explicit direction.
This skill does not show artifact-backed malicious behavior, but it is powerful. Use it only with a trusted `agent-browser` executable, give explicit instructions for logged-in sites, confirm before submissions or uploads, protect saved auth-state files, and treat webpage content as untrusted.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a different or untrusted `agent-browser` executable is present on the system, it could receive browser actions, credentials, or session state.
The skill's instructions invoke `agent-browser`, but the artifact metadata does not declare or install that core executable, so the reviewed artifacts do not establish its provenance.
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Before using the skill, verify that `agent-browser` is installed from a trusted source and is the intended executable.
An agent using this skill on a logged-in site could submit forms, upload files, or trigger changes if not carefully directed.
The browser tool can perform real interactions on websites, including form entry, clicks, and file uploads. These are central to the stated purpose but can have account or data consequences.
agent-browser click @e1 # Click agent-browser fill @e2 "text" # Clear and type agent-browser upload @e1 file.pdf # Upload files
Use explicit user instructions and confirmation for sensitive actions such as submissions, purchases, admin changes, public posts, or file uploads.
Using proxy rotation for scraping may violate website terms, trigger account blocks, or create legal/compliance risk.
Proxy use is disclosed and can be legitimate for testing or corporate networks, but the documentation also mentions avoiding rate limits and bans.
useful for geo-testing, rate limiting avoidance ... Rotate proxies for large scraping jobs - Distribute load and avoid bans
Use proxies only where authorized and avoid workflows intended to bypass site access controls or rate limits.
Saved state files or entered credentials could grant access to the user's accounts if exposed or used on the wrong site.
The skill supports entering credentials and saving authenticated browser state. The documentation also acknowledges that state files contain session tokens.
agent-browser fill @e2 "password123" agent-browser state save ./auth-state.json Never commit state files - They contain session tokens
Use environment variables for credentials, store auth-state files outside shared repos, restrict file permissions, and delete state files after use.
Sensitive page text may be exposed to the agent context, and untrusted web pages may contain prompt-like text that tries to influence the agent.
The snapshot workflow intentionally brings web page content into the agent context so the agent can decide what to do next.
Full DOM/HTML sent → AI parses → Generates CSS selector → Executes action Compact snapshot → @refs assigned → Direct ref interaction
Treat page content as untrusted data, not instructions; scope snapshots where possible and avoid using this on pages containing unnecessary sensitive information.