Advanced headless browser automation skill for OpenClaw agents. Enables intelligent web navigation, form filling, data extraction, and UI testing with structured commands and semantic element targeting.
Security Analysis
medium confidenceThe skill's declared purpose (browser automation) matches the instructions, but it directs installing an unvetted global npm package with no homepage or source provenance and includes commands that can capture and persist sensitive session data — this combination is concerning.
Name/description (browser automation) align with required binaries (node, npm) and the SKILL.md which instructs use of an npm-based tool (agent-browser). The instructions and command set (open, snapshot, click, fill, screenshot, state save) are coherent with a headless/browser automation capability.
The SKILL.md stays within browser-automation scope (navigating pages, filling forms, saving session state). It does instruct saving session state to files (e.g., session.json) and performing login flows and uploads — actions that legitimately require handling credentials and local file writes but also provide opportunity to capture/exfiltrate sensitive data. The instructions do not ask the agent to read unrelated system files or environment variables, but they give broad discretion to interact with arbitrary external websites and persist session state.
There is no formal install spec in the registry, but SKILL.md recommends running `npm install -g agent-browser` (and `agent-browser install --with-deps`). Installing an unverified, unnamed global npm package is a moderate-to-high risk: npm packages run arbitrary code at install and at runtime. The skill has no homepage, source repo, or checksum, so provenance cannot be confirmed. This is the main security concern.
The skill declares no required environment variables or credentials (which is proportionate). However, its recipes explicitly handle authentication flows and saving session files; users will be asked to supply credentials for target sites. Because the skill can persist session files and interact with arbitrary sites, users should treat any credentials or session data provided as potentially accessible to whatever code the 'agent-browser' package installs.
The skill is not always-enabled and does not request system config paths or elevated privileges. It also does not modify other skills' configs. Autonomous invocation remains allowed (default), which is normal for skills and not flagged here by itself.
Guidance
This skill appears to do what it says, but it delegates functionality to an npm package named 'agent-browser' with no homepage or source link. Installing that package globally can run arbitrary code on your system and the tool is instructed to capture logins and save session files (which may contain credentials). Before installing or running: 1) verify the 'agent-browser' package on npmjs.com and the publisher's identity and inspect its repository/source code (or avoid global install); 2) prefer running such tools in an isolated sandbox or VM; 3) do not use real credentials or sensitive targets until you audit the package; 4) consider using well-known alternatives (Puppeteer/Playwright) whose code you can review; 5) if you proceed, install locally (not -g) or review the package contents first and check for postinstall scripts or unexpected network endpoints.
Latest Release
v1.0.2
## browserautomation-skill 1.0.2 Changelog - Updated README.md instructions and documentation for clarity and completeness. - No code, command, or feature changes in this version.
More by @StveenLi
Published by @StveenLi on ClawHub
