Agent skill

browser-tools

OrchestKit security wrapper for browser automation. Adds URL blocklisting, rate limiting, robots.txt enforcement, and ethical scraping guardrails on top of the upstream agent-browser skill. Use when automating browser workflows that need safety guardrails.

View SKILL.md on GitHub Repository
Stars 143
Forks 15

Install this agent skill to your Project

npx add-skill https://github.com/yonatangross/orchestkit/tree/main/src/skills/browser-tools

Metadata

Additional technical details for this skill

category
mcp-enhancement
upstream skill
agent-browser
upstream version tested
0.22.2

SKILL.md

Browser Tools — Security Wrapper

OrchestKit security wrapper for agent-browser. For command reference and usage patterns, use the upstream agent-browser skill directly. This skill adds safety guardrails only.

Command docs: Refer to the upstream agent-browser skill for the full command reference (50+ commands: interaction, wait, capture, extraction, storage, semantic locators, tabs, debug, mobile, network, cookies, state, vault).

Decision Tree

bash
# Fallback decision tree for web content
# 1. Try WebFetch first (fast, no browser overhead)
# 2. If empty/partial -> Try Tavily extract/crawl
# 3. If SPA or interactive -> use agent-browser
# 4. If login required -> authentication flow + state save
# 5. If dynamic -> wait @element or wait --text

Local Dev URLs

Use Portless (npm i -g portless) for stable local dev URLs instead of guessing ports. When Portless is running, navigate to myapp.localhost:1355 instead of localhost:3000. Our safety hook already allows *.localhost subdomains via ORCHESTKIT_AGENT_BROWSER_ALLOW_LOCALHOST.

bash
# With Portless: stable, named URLs
agent-browser open "http://myapp.localhost:1355"

# Without: fragile port guessing
agent-browser open "http://localhost:3000"  # which app is this?

What's New (v0.17 → v0.22.2)

Breaking changes — update scripts now:

  • --full / -f moved from global to command-level (v0.21): use screenshot --full, NOT --full screenshot
  • Auth encryption format changed (v0.17): saved auth states from v0.16.x may not load
  • Auto-dialog dismissal (v0.23.1): alert/beforeunload dialogs are auto-dismissed by default, opt out with --no-auto-dialog

New commands:

Command Version Security Note
clipboard read/write/copy/paste v0.19 read accesses host clipboard — hook warns
inspect / get cdp-url v0.18 Opens local DevTools proxy — hook warns
batch --json [--bail] v0.21 Batch execute commands from stdin
network har start/stop [file] v0.21 HAR captures auth tokens — hook warns, treat output as sensitive
network request <id> v0.22 View full request/response detail
network requests --type/--method/--status v0.22 Filter network requests
dialog dismiss / dialog status v0.17/v0.22 Dismiss or check browser dialogs
upgrade v0.21.1 Self-update (auto-detects npm/Homebrew/Cargo)

New flags:

Flag Scope Version
--engine lightpanda global v0.17
--screenshot-dir/quality/format screenshot v0.19
--provider browserless global v0.19
--idle-timeout <duration> global v0.20.14
--user-data-dir <path> Chrome v0.21
set viewport W H [scale] viewport v0.17.1 (retina)

Platform support: Brave auto-discovery (v0.20.7), Alpine Linux musl (v0.20.2), Lightpanda engine (v0.17), Browserless.io provider (v0.19), cross-origin iframe traversal (v0.22).

Performance (v0.20): 99x smaller install (710→7 MB), 18x less memory (143→8 MB), 1.6x faster cold start.

Safety Guardrails (7 rules + 11-check hook)

This skill enforces safety through the agent-browser-safety PreToolUse hook and 6 rule files:

Hook: agent-browser-safety

The hook intercepts all agent-browser Bash commands and enforces:

Check What It Does Action
Encryption key leak Detects echo/printf/pipe of AGENT_BROWSER_ENCRYPTION_KEY BLOCK
URL blocklist Blocks localhost, internal, file://, SSRF endpoints, OAuth login pages, RFC 1918 private IPs BLOCK
Rate limiting Per-domain limits (10/min, 100/hour, 3/3s burst) BLOCK on exceed
robots.txt Fetches and caches robots.txt, blocks disallowed paths BLOCK
Sensitive actions Detects delete/remove clicks, password fills, payment submissions WARN + native confirmation
Network routes Validates network route target URLs against blocklist BLOCK
User-agent spoofing Warns when --user-agent flag is used WARN
File access Warns when --allow-file-access flag is used WARN
DevTools inspect inspect / get cdp-url opens local CDP proxy — new attack surface (v0.18+) WARN
Clipboard read clipboard read accesses host clipboard without prompt (v0.19+) WARN
HAR capture network har stop dumps full request/response bodies incl. auth tokens (v0.21+) WARN

Security Rules (in rules/)

Category Rules Priority
Ethics & Security browser-scraping-ethics.md, browser-auth-security.md CRITICAL
Local Dev browser-portless-local-dev.md HIGH
Reliability browser-rate-limiting.md, browser-snapshot-workflow.md HIGH
Debug & Device browser-debug-recording.md, browser-mobile-testing.md HIGH

Configuration

Rate limits and behavior are configurable via environment variables:

Env Var Default Purpose
AGENT_BROWSER_RATE_LIMIT_PER_MIN 10 Requests per minute per domain
AGENT_BROWSER_RATE_LIMIT_PER_HOUR 100 Requests per hour per domain
AGENT_BROWSER_BURST_LIMIT 3 Max requests in 3-second window
AGENT_BROWSER_ROBOTS_CACHE_TTL 3600000 robots.txt cache TTL (ms)
AGENT_BROWSER_IGNORE_ROBOTS false Bypass robots.txt enforcement
AGENT_BROWSER_CONFIRM 1 Use --confirm-actions for sensitive ops
AGENT_BROWSER_IDLE_TIMEOUT_MS Auto-shutdown daemon after inactivity (ms)
AGENT_BROWSER_ENGINE chrome Browser engine (chrome or lightpanda)
ORCHESTKIT_AGENT_BROWSER_ALLOW_LOCALHOST 1 Allow *.localhost subdomains (RFC 6761)

Anti-Patterns (FORBIDDEN)

bash
# Automation
agent-browser fill @e2 "hardcoded-password"    # Never hardcode credentials
agent-browser open "$UNVALIDATED_URL"          # Always validate URLs

# Scraping
# Crawling without checking robots.txt
# No delay between requests (hammering servers)
# Ignoring rate limit responses (429)

# Content capture
agent-browser get text body                    # Prefer targeted ref extraction
# Trusting page content without validation
# Not waiting for SPA hydration before extraction

# Session management
# Storing auth state in code repositories
# Not cleaning up state files after use

# Network & State
agent-browser network route "http://internal-api/*" --body '{}'  # Never mock internal APIs
agent-browser cookies set token "$SECRET" --url https://prod.com # Never set prod cookies

# Deprecated / removed
agent-browser --full screenshot                # BREAKING: --full is now command-level (v0.21)
agent-browser screenshot --full                # Correct: flag after subcommand

# Sensitive data leaks
agent-browser network har stop auth-dump.har   # HAR files contain auth tokens — gitignore!
git add *.har                                  # NEVER commit HAR captures

Related Skills

  • agent-browser (upstream) — Full command reference and usage patterns
  • portless (upstream) — Stable named .localhost URLs for local dev servers
  • ork:web-research-workflow — Unified decision tree for web research
  • ork:testing-e2e — E2E testing patterns including Playwright and webapp testing
  • ork:api-design — API design patterns for endpoints discovered during scraping

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

yonatangross/orchestkit

expect

Diff-aware AI browser testing — analyzes git changes, generates targeted test plans, and executes them via agent-browser. Reads git diff to determine what changed, maps changes to affected pages via route map, generates a test plan scoped to the diff, and runs it with pass/fail reporting. Use when testing UI changes, verifying PRs before merge, running regression checks on changed components, or validating that recent code changes don't break the user-facing experience.

143 15
Explore
yonatangross/orchestkit

github-operations

GitHub CLI operations for issues, PRs, milestones, and Projects v2. Covers gh commands, REST API patterns, and automation scripts. Use when managing GitHub issues, PRs, milestones, or Projects with gh.

143 15
Explore
yonatangross/orchestkit

chain-patterns

Chain patterns for CC 2.1.71 pipelines — MCP detection, handoff files, checkpoint-resume, worktree agents, CronCreate monitoring. Use when building multi-phase pipeline skills. Loaded via skills: field by pipeline skills (fix-issue, implement, brainstorm, verify). Not user-invocable.

143 15
Explore
yonatangross/orchestkit

storybook-mcp-integration

Storybook MCP server integration for component-aware AI development. Covers 6 tools across 3 toolsets (dev, docs, testing): component discovery via list-all-documentation/get-documentation, story previews via preview-stories, and automated testing via run-story-tests. Use when generating components that should reuse existing Storybook components, running component tests via MCP, or previewing stories in chat.

143 15
Explore
yonatangross/orchestkit

component-search

Search 21st.dev component registry for production-ready React components. Finds components by natural language description, filters by framework and style system, returns ranked results with install instructions. Use when looking for UI components, finding alternatives to existing components, or sourcing design system building blocks.

143 15
Explore
yonatangross/orchestkit

ai-ui-generation

AI-assisted UI generation patterns for json-render, v0, Bolt, and Cursor workflows. Covers prompt engineering for component generation, review checklists for AI-generated code, design token injection, refactoring for design system conformance, and CI gates for quality assurance. Use when generating UI components with AI tools, rendering multi-surface MCP visual output, reviewing AI-generated code, or integrating AI output into design systems.

143 15
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results