Agent Browser
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is a disclosed browser automation helper, but review is warranted because it can run an unpinned external CLI, operate logged-in sessions, and includes proxy guidance for avoiding rate limits/bans.
Install only if you trust and can verify the actual agent-browser CLI package. Use it only on sites and accounts you are authorized to automate, avoid proxy rotation for evasion, confirm high-impact actions before the agent clicks or submits, and protect or delete saved auth-state files.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may execute external package code with browser and local user privileges before that code has been reviewed or pinned.
The skill can invoke agent-browser through npx, but the registry shows no install spec and the executable package/source is not included in the reviewed artifacts.
allowed-tools: Bash(npx agent-browser:*), Bash(agent-browser:*)
Only use a trusted, pinned, reviewed agent-browser package/source; avoid entering real credentials until the runtime package is verified.
This could lead an agent to bypass website controls, violate site terms, or put the user's accounts, IPs, or organization at risk.
The proxy documentation explicitly promotes rotating proxies for scraping to avoid rate limits and bans.
Proxy configuration for geo-testing, rate limiting avoidance... / Rotate through proxy list to avoid rate limiting
Use proxies only for authorized testing or corporate routing, and do not use the skill to evade rate limits, bans, or access controls.
If used with real accounts, browser actions such as clicks, form submissions, and uploads occur with the user's privileges.
The skill is intended to log into websites and act in authenticated sessions, which is expected for this purpose but gives the agent delegated account authority.
Login flows, session persistence, OAuth, 2FA, and authenticated browsing.
Use least-privileged or test accounts when possible, and require explicit user confirmation before purchases, account changes, public posts, or other high-impact actions.
Anyone who obtains a saved state file may be able to reuse authenticated sessions or see private browsing state.
Saved browser state can contain reusable session tokens and other sensitive storage that persist across runs.
State File Contents: { "cookies": [...], "localStorage": {...}, "sessionStorage": {...}, "origins": [...] }Store state files outside repositories, restrict file permissions, delete them after use, and avoid sharing them with other agents or users.
Generated or copied JavaScript could read or modify page content in an authenticated browser session.
The command reference includes arbitrary JavaScript execution in the browser page context.
agent-browser eval -b "<base64>" # Any JavaScript (base64 encoded) agent-browser eval --stdin # Read script from stdin
Prefer normal snapshot/click/fill commands, and review any JavaScript before running eval against real accounts or sensitive pages.
Open sessions, cookies, or browser state may remain available after the immediate task unless cleaned up.
The browser process/session can remain active between commands rather than ending after each action.
The browser persists between commands via a background daemon
Close browser sessions after use and clear cookies or saved state when the task is complete.