← Back to Skills Marketplace
a-din

Xiaopi Agent Browser

by Adin · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
97
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install xiaopi-agent-browser
Description
A fast Rust-based headless browser automation CLI with Node.js fallback that enables AI agents to navigate, click, type, and snapshot pages via structured co...
Usage Guidance
This skill is plausibly a useful browser-automation wrapper, but there are red flags around provenance and install instructions. Before installing or allowing the agent to run it autonomously: 1) Verify the npm package name 'agent-browser' and inspect the package on the npm registry for publisher, version, and install scripts; 2) Confirm the upstream repository (the SKILL.md references github.com/vercel-labs/agent-browser) — check the repo owner, tags, and source code; 3) Resolve metadata mismatches (ownerId/slug/version differences between registry metadata and _meta.json) with the publisher; 4) If you must test, install and run it in a sandbox or isolated VM/container and avoid global npm installs on production hosts; 5) Limit the agent's access to local files and outgoing network when first enabling the skill. If you cannot verify the upstream package and author, treat the skill as untrusted.
Capability Analysis
Type: OpenClaw Skill Name: xiaopi-agent-browser Version: 1.0.0 The skill provides a comprehensive wrapper for the `agent-browser` CLI, enabling full headless browser control. It includes high-risk capabilities such as executing arbitrary JavaScript (`eval`), accessing and saving session state including cookies (`state save`, `cookies`), and intercepting network traffic (`network route`). While these features are aligned with the stated purpose of web automation and testing, they represent a significant attack surface for potential data exfiltration or session hijacking. The skill documentation in `SKILL.md` correctly reflects the capabilities of the legitimate upstream tool (https://github.com/vercel-labs/agent-browser), but the inherent power of the tool meets the criteria for a suspicious classification.
Capability Assessment
Purpose & Capability
The SKILL.md describes a Rust-based CLI with a Node.js fallback and shows npm-based installation instructions. The registry metadata requires node and npm as binaries, yet a Rust binary would not normally require npm. The SKILL.md also documents building from source (git + pnpm) but the skill's declared required binaries do not include git or pnpm. Additionally, the skill registry entry (slug/version/owner) does not match the _meta.json contents (different ownerId, slug, and version), and the package has no declared homepage or source URL in the registry — these inconsistencies suggest packaging/copying or provenance issues.
Instruction Scope
The runtime instructions are narrowly focused on browser automation commands (navigate, snapshot, click, fill, upload, screenshot, etc.), which aligns with the described purpose. The document includes commands that can access pages, cookies/storage, and upload local files — expected for a browser automation tool but potentially capable of exposing sensitive local data if misused. The SKILL.md does not instruct reading unrelated system files or environment variables.
Install Mechanism
There is no formal install spec in the skill bundle (instruction-only), but SKILL.md recommends npm global installation (npm install -g agent-browser) and provides a from-source path requiring git and pnpm. Running npm install -g executes package install scripts from the npm registry, which can run arbitrary code on the host. Because the registry metadata has no source/homepage and the skill manifest mismatches the included _meta.json, it's unclear whether the npm package name and upstream repository are trustworthy. The absence of declared git/pnpm in required binaries is another mismatch.
Credentials
The skill declares no required environment variables or credentials, and SKILL.md does not request secrets. That is proportionate for a browser automation CLI. However, the tool's capabilities (navigation, cookies, file upload) mean an installed CLI could access local files and network endpoints, so installation should be treated with the same caution as installing any third-party CLI.
Persistence & Privilege
The skill does not request always:true and uses default agent invocation settings. It is instruction-only and does not include code that would be written to disk by the platform. Autonomous invocation is allowed (platform default) — combine that with the install concerns above when deciding whether to permit autonomous runs.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install xiaopi-agent-browser
  3. After installation, invoke the skill by name or use /xiaopi-agent-browser
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of agent-browser: a fast Rust-based CLI for browser automation. - Enables AI agents to navigate, interact, and extract data from web pages via structured commands. - Supports navigation, clicking, typing, form filling, screenshots, PDFs, video recording, and state management. - Offers both element ref and semantic locator-based interactions. - Provides commands for cookies, storage, network control, tabs/windows, frames, dialogs, and custom JavaScript. - Includes detailed CLI usage and workflow examples for quick start. - Node.js fallback included for broad compatibility.
Metadata
Slug xiaopi-agent-browser
Version 1.0.0
License MIT-0
All-time Installs 1
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Xiaopi Agent Browser?

A fast Rust-based headless browser automation CLI with Node.js fallback that enables AI agents to navigate, click, type, and snapshot pages via structured co... It is an AI Agent Skill for Claude Code / OpenClaw, with 97 downloads so far.

How do I install Xiaopi Agent Browser?

Run "/install xiaopi-agent-browser" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Xiaopi Agent Browser free?

Yes, Xiaopi Agent Browser is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Xiaopi Agent Browser support?

Xiaopi Agent Browser is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Xiaopi Agent Browser?

It is built and maintained by Adin (@a-din); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments