Browser automation CLI for AI agents with anti-detection stealth browsing, captcha solving, and parallel multi-browser support. Use when the user needs to in...
Security Analysis
medium confidenceThe skill's requests and instructions are broadly consistent with a browser-automation tool, but several high-risk behaviors (cloud captcha solving that transmits page URLs, CDP control of the user's running Chrome, and installing an external PyPI package) raise privacy and trust concerns that should be explicitly reviewed before installing.
The name/description (stealth browsing, captcha solving, parallel browsers, connect-to-Chrome) matches what the SKILL.md instructs: installing a CLI, creating stealth profiles, using proxies, and optionally connecting to a local Chrome via CDP. Requiring network access and filesystem profiles is coherent with these capabilities.
The runtime instructions direct the agent to install and invoke a third-party CLI and to perform actions that may access sensitive data: connecting to the user's running Chrome (CDP), persisting browser profiles (cookies, cache) locally, and sending metadata for captcha solving/stealth management. Although the SKILL.md asserts that cookies/page HTML/screenshots/credentials are never uploaded, the instructions explicitly transmit page URLs and captcha element coordinates to a cloud service — a potentially sensitive leak depending on context.
The skill is instruction-only (no bundled code) and tells the agent to install browser-act-cli from PyPI via 'uv tool install'. Installing a PyPI package at runtime is typical for CLI-based skills but still carries supply-chain risk: the skill delegates execution to a third-party package whose code is not included for review here. The registry metadata did not include a formal install spec, so the install step relies entirely on the SKILL.md text.
No environment variables are requested, which aligns with the manifest, but the skill stores credentials and settings in a local config.json and uses a cloud API for captcha/stealth management. Transmitting page URLs and proxy hosts to BrowserAct's cloud is justified for captcha solving but is sensitive (reveals targets). The SKILL.md claims certain things are 'never uploaded' — that promise is hard to verify and depends on the CLI implementation and its security practices.
The skill does not ask for 'always: true', but it requests persistent local storage of browser profiles and the ability to attach to a running Chrome via CDP. CDP access can control and read the user's active browser session; even if the tool claims not to exfiltrate cookies or page HTML, that level of access is a high privilege and should be granted only with explicit user understanding and caution.
Guidance
This skill behaves like a full-featured browser automation tool that installs a third-party CLI and can (a) connect to your running Chrome session and (b) call BrowserAct cloud services for captcha/stealth management. Before installing: (1) verify the PyPI package and its source code (inspect the project's repository and recent release history), (2) confirm the trustworthiness of the BrowserAct service and its privacy policy, (3) avoid using Real Chrome/CDP mode unless you accept that the CLI can control your active browser session, (4) prefer ephemeral/private mode when possible to avoid persistent profiles, and (5) review the local config.json after first run to see what credentials are stored. If you cannot validate the upstream package or do not want page URLs shared with a third party, do not install this skill.
Latest Release
v1.0.12
- Clarified and expanded metadata on runtime requirements, permission usage, cloud/local data storage, and privacy guarantees. - Added explicit details on config file paths and browser data storage locations. - Listed required permissions for network access, filesystem operations, and CDP connection (for Real Chrome control). - Improved documentation of what user/session/browser data may be transmitted to the cloud, and what is strictly local. - No changes to CLI usage or functionality. Documentation/metadata improvements only.
Popular Skills
Published by @browseract-ai on ClawHub
