🇺🇸English
Browser Tools — Security Wrapper
OrchestKit security wrapper for agent-browser. For command reference and usage patterns, use the upstreamagent-browser skill directly. This skill adds safety guardrails only.
Command docs : Refer to the upstream agent-browser skill for the full command reference (50+ commands: interaction, wait, capture, extraction, storage, semantic locators, tabs, debug, mobile, network, cookies, state, vault).
Decision Tree
# Fallback decision tree for web content
# 1. Try WebFetch first (fast, no browser overhead)
# 2. If empty/partial -> Try Tavily extract/crawl
# 3. If SPA or interactive -> use agent-browser
# 4. If login required -> authentication flow + state save
# 5. If dynamic -> wait @element or wait --text
Local Dev URLs
Use Portless (npm i -g portless) for stable local dev URLs instead of guessing ports. When Portless is running, navigate to myapp.localhost:1355 instead of localhost:3000. Our safety hook already allows *.localhost subdomains via ORCHESTKIT_AGENT_BROWSER_ALLOW_LOCALHOST.
# With Portless: stable, named URLs
agent-browser open "http://myapp.localhost:1355"
# Without: fragile port guessing
agent-browser open "http://localhost:3000" # which app is this?
What's New (v0.17 → v0.22.2)
Breaking changes — update scripts now:
--full / -f moved from global to command-level (v0.21): use screenshot --full, NOT --full screenshot- Node.js/Playwright daemon fully removed (v0.20):
--native and AGENT_BROWSER_NATIVE=1 are no-ops
-C / --cursor flag for snapshot deprecated (v0.22): cursor-interactive elements included by default- Auth encryption format changed (v0.17): saved auth states from v0.16.x may not load
New commands:
| Command | Version | Security Note |
|---|
clipboard read/write/copy/paste | v0.19 | read accesses host clipboard — hook warns |
inspect / get cdp-url | v0.18 | Opens local DevTools proxy — hook warns |
batch --json [--bail] | v0.21 | Batch execute commands from stdin |
network har start/stop [file] |
New flags:
| Flag | Scope | Version |
|---|
--engine lightpanda | global | v0.17 |
--screenshot-dir/quality/format | screenshot | v0.19 |
--provider browserless | global | v0.19 |
--idle-timeout <duration> | global | v0.20.14 |
--user-data-dir <path> | Chrome |
Platform support: Brave auto-discovery (v0.20.7), Alpine Linux musl (v0.20.2), Lightpanda engine (v0.17), Browserless.io provider (v0.19), cross-origin iframe traversal (v0.22).
Performance (v0.20): 99x smaller install (710→7 MB), 18x less memory (143→8 MB), 1.6x faster cold start.
Safety Guardrails (7 rules + 11-check hook)
This skill enforces safety through the agent-browser-safety PreToolUse hook and 6 rule files:
Hook: agent-browser-safety
The hook intercepts all agent-browser Bash commands and enforces:
| Check | What It Does | Action |
|---|
| Encryption key leak | Detects echo/printf/pipe of AGENT_BROWSER_ENCRYPTION_KEY | BLOCK |
| URL blocklist | Blocks localhost, internal, file://, SSRF endpoints, OAuth login pages, RFC 1918 private IPs | BLOCK |
| Rate limiting | Per-domain limits (10/min, 100/hour, 3/3s burst) | BLOCK on exceed |
| robots.txt | Fetches and caches robots.txt, blocks disallowed paths | BLOCK |
|
Security Rules (in rules/)
| Category | Rules | Priority |
|---|
| Ethics & Security | browser-scraping-ethics.md, browser-auth-security.md | CRITICAL |
| Local Dev | browser-portless-local-dev.md | HIGH |
| Reliability | browser-rate-limiting.md, browser-snapshot-workflow.md | HIGH |
| Debug & Device | browser-debug-recording.md, |
Configuration
Rate limits and behavior are configurable via environment variables:
| Env Var | Default | Purpose |
|---|
AGENT_BROWSER_RATE_LIMIT_PER_MIN | 10 | Requests per minute per domain |
AGENT_BROWSER_RATE_LIMIT_PER_HOUR | 100 | Requests per hour per domain |
AGENT_BROWSER_BURST_LIMIT | 3 | Max requests in 3-second window |
AGENT_BROWSER_ROBOTS_CACHE_TTL | 3600000 | robots.txt cache TTL (ms) |
AGENT_BROWSER_IGNORE_ROBOTS |
Anti-Patterns (FORBIDDEN)
# Automation
agent-browser fill @e2 "hardcoded-password" # Never hardcode credentials
agent-browser open "$UNVALIDATED_URL" # Always validate URLs
# Scraping
# Crawling without checking robots.txt
# No delay between requests (hammering servers)
# Ignoring rate limit responses (429)
# Content capture
agent-browser get text body # Prefer targeted ref extraction
# Trusting page content without validation
# Not waiting for SPA hydration before extraction
# Session management
# Storing auth state in code repositories
# Not cleaning up state files after use
# Network & State
agent-browser network route "http://internal-api/*" --body '{}' # Never mock internal APIs
agent-browser cookies set token "$SECRET" --url https://prod.com # Never set prod cookies
# Deprecated / removed (v0.20+)
agent-browser --native screenshot # --native removed, Rust is the ONLY impl
AGENT_BROWSER_NATIVE=1 agent-browser open ... # No-op since v0.20
agent-browser --full screenshot # BREAKING: --full is now command-level
agent-browser screenshot --full # Correct: flag after subcommand
# Sensitive data leaks
agent-browser network har stop auth-dump.har # HAR files contain auth tokens — gitignore!
git add *.har # NEVER commit HAR captures
Related Skills
agent-browser (upstream) — Full command reference and usage patternsportless (upstream) — Stable named .localhost URLs for local dev serversork:web-research-workflow — Unified decision tree for web researchork:testing-e2e — E2E testing patterns including Playwright and webapp testingork:api-design — API design patterns for endpoints discovered during scraping
Weekly Installs
94
Repository
yonatangross/orchestkit
GitHub Stars
135
First Seen
Feb 13, 2026
Security Audits
Gen Agent Trust HubPassSocketPassSnykWarn
Installed on
opencode89
gemini-cli88
codex87
cursor87
github-copilot87
amp84
