Use Nextbrowser cloud API to spin up cloud browsers for Openclaw to run autonomous browser tasks. Primary use is creating browser sessions with profiles (per...
Security Analysis
medium confidenceThe skill's stated purpose (cloud browsers and autonomous browser tasks) matches its instructions, but there are notable inconsistencies and risky directives (missing declared credentials/config, persistent credential handling, and instructions to bypass task approvals) that merit caution.
The name/description say the skill will spin up cloud browsers, manage profiles, and run autonomous browser tasks — the SKILL.md contains API calls for profiles, locations, credentials, and tasks that directly implement that purpose. However, the metadata declares no primary credential or required config paths even though the runtime instructions require an API key stored in openclaw config (skills.entries.next-browser.apiKey). That mismatch between declared metadata and runtime requirements is an inconsistency.
The SKILL.md instructs the agent to read the OpenClaw config for an API key, call Nextbrowser endpoints to list/store credentials and profiles (which persist logins/cookies), and to run autonomous 'task' subagents that can log into third-party accounts and perform actions (examples include upvoting and posting comments). It also explicitly recommends always using skip_plan_approval=true and 'fast' mode, which reduces manual oversight. These instructions give the agent broad authority to act on user accounts and to store/ reuse sensitive credentials; that scope goes beyond simple read-only browser inspection and could enable abusive behavior if misused.
This is an instruction-only skill with no install spec and no code files, so it does not write binaries or download third-party code during install. That minimizes install-time risk.
Although the skill needs an API key, the registry metadata lists no required environment variables and no config paths. The SKILL.md requires an API key stored at openclaw config path skills.entries.next-browser.apiKey and shows examples using an $API_KEY header. The omission of any declared primary credential or required config path in the metadata is a mismatch. Additionally, the skill instructs use of Nextbrowser-managed credential IDs (i.e., storing/using third-party account credentials), which is high-sensitivity functionality and should be clearly declared and justified.
The skill is not marked always:true and does not request elevated install persistence. However, it recommends skip_plan_approval=true for autonomous subagents, which effectively reduces approval checkpoints and increases the risk of automated, unchecked actions. The skill also relies on Nextbrowser to persist profiles and credentials outside the agent — that persistence is a functional requirement but a privacy/abuse risk and should be considered when enabling the skill.
Guidance
This skill appears to implement what it says (cloud browsers, profiles, automated browser tasks) but has two important issues: (1) the SKILL.md requires an API key stored in OpenClaw config (skills.entries.next-browser.apiKey), yet the registry metadata does not declare any required credential or config path — confirm where the key is stored and why metadata omits it; (2) the skill instructs storing and reusing credentials/profiles and explicitly recommends skip_plan_approval=true for autonomous tasks, which can let the agent log into and act on third-party accounts without additional human approval. Before installing: verify the Nextbrowser service is legitimate (official docs, ownership, privacy policy), avoid putting high-privilege or shared account credentials into this service, consider refusing skip_plan_approval or requiring manual approval for sensitive tasks, and ask the skill author/registry to declare the required config/credentials in the metadata. If you plan to use it for account actions (posting, voting, automated logins), be aware of abuse/ToS/legal risks and audit activities closely.
Latest Release
v1.0.0
Initial release of next-browser-1 skill. - Enables integration with Nextbrowser cloud API for autonomous browser tasks via Openclaw. - Supports browser profiles with persisted cookies/logins and credential management. - Allows dynamic discovery of proxy/geolocation options (countries, cities, regions, ISPs). - Provides endpoints and examples for running and monitoring autonomous browser tasks using subagents. - Requires API key setup for use; detailed configuration instructions provided. - Links to full API documentation for further reference.
More by @highxshell
Published by @highxshell on ClawHub
