Guide Claude through deploying serverless browser automation using the official bb CLI
Security Analysis
medium confidenceThe SKILL.md describes legitimate Browserbase/`bb` CLI workflow and correctly requires a Browserbase API key and project ID, but the registry metadata claims no required environment variables and the skill has no known source/homepage — this mismatch and lack of provenance is concerning.
The skill's stated purpose (deploy serverless browser automation with the official bb CLI) matches the instructions, but the registry metadata lists no required environment variables or credentials while the SKILL.md clearly requires BROWSERBASE_API_KEY and BROWSERBASE_PROJECT_ID. The skill's source and homepage are unknown, which reduces provenance for a tool that requests an API key.
The SKILL.md stays within the claimed scope: it walks through initializing a function project, adding a .env with Browserbase credentials, running pnpm/`bb` dev and publish, and invoking functions. It also shows patterns for authenticated automation (filling login forms) which is consistent with browser automation but elevates risk because user account credentials may be passed into functions/params.
This is an instruction-only skill with no install spec or code files, so nothing will be written or executed by the skill itself. That lowers installer risk — the user runs the commands. The SKILL.md recommends using pnpm dlx and pnpm install which pull packages from npm; that's expected for this workflow but you should verify the packages are official.
The SKILL.md requires BROWSERBASE_API_KEY and BROWSERBASE_PROJECT_ID (and the example uses them in curl and process.env). Those credentials are proportionate to the task, but the registry metadata omits them — an inconsistency. The skill also encourages storing credentials in a .env file and passing sensitive site login credentials through function params, which can lead to accidental exposure if not handled securely.
The skill does not request persistent presence (always:false), does not modify other skills' configs, and declares no config paths. It does not request elevated system privileges.
Guidance
This skill's instructions look legitimate for deploying Browserbase functions, but exercise caution before using it: 1) Verify the skill's provenance — find an official homepage or repo and confirm @browserbasehq/sdk-functions and the `bb` CLI are the real packages. 2) Do not paste API keys or passwords into public chat; prefer a secrets manager or CI environment variables instead of committing a .env file. 3) Avoid passing real user credentials in function params unless you control the storage and access policies for those invocations. 4) Confirm the minimal scope/permissions of the Browserbase API key you create. 5) If you can't verify the skill's source or the npm packages it installs, treat it as higher risk and don't proceed.
Latest Release
v1.0.0
Initial release of the "functions" skill for Browserbase: - Provides a comprehensive guide for deploying serverless browser automation using the official bb CLI. - Includes getting started instructions, credential setup, project initialization, and .env configuration. - Details development workflow, including local dev server, testing, auto-reloading, and debugging. - Explains deployment, invocation (via curl and code), and polling for results. - Offers recipes for common patterns: parameterized scraping, authentication workflows, and error handling. - Features CLI reference and troubleshooting tips for typical setup and runtime issues.
More by @peytoncasper
Published by @peytoncasper on ClawHub
