Is jamesfincher/browserbase-sessions safe?

The skill installs scripts/dedication_automation.mjs, a runnable ESM JavaScript module accessible via 'npm run dedication'. Its content was NOT captured by the audit because the .mjs file extension was excluded from the file content collection find pattern (which matched *.js but not *.mjs). The file's purpose is undocumented in SKILL.md, README.md, and CHANGELOG.md. This represents a significant unreviewed code execution surface that could contain credential harvesting, data exfiltration, or C2 logic that would not have been detected during the install-phase monitoring.

patchright-core, a specialized fork of Playwright engineered to evade browser fingerprinting and bot detection systems, is included as an optional dependency via @browserbasehq/stagehand. This is coupled with CAPTCHA bypass enabled by default in all sessions. This combination creates a powerful toolkit for bypassing anti-automation security measures, enabling potential mass scraping, credential stuffing, or automated abuse of web services that rely on these protections.

All browser sessions are recorded by default and stored on Browserbase's cloud infrastructure as video recordings and rrweb event streams. This includes sessions for authenticated banking, email, SaaS, and other sensitive services. If the user's BROWSERBASE_API_KEY is compromised, shared with the skill author, or accessed via Browserbase's platform, all recorded sessions become accessible to third parties. Users may not be aware their automated sessions are being recorded to an external service.

The get-cookies and execute-js commands provide full read access to authenticated session cookies and the ability to execute arbitrary JavaScript within authenticated browser contexts respectively. These capabilities together enable extraction of authentication tokens, sensitive page content, form data, local storage, session storage, and any DOM content from any site the agent navigates to on behalf of the user.

The skill's install command downloads Python packages from PyPI and Playwright/Chromium browser binaries from external CDNs at skill activation time. This extends the supply chain attack surface beyond the audited skill repository to external package ecosystems that are not verified by the audit.

The skill persists Browserbase Contexts containing cookies and local/session storage both locally (~/.browserbase/workspaces/) and on Browserbase's servers across sessions. A single workspace can maintain authenticated sessions across multiple sites simultaneously, creating a persistent credential store that outlives individual chat sessions and is potentially accessible to other co-installed skills that can read local filesystem paths.

The @browserbasehq/stagehand dependency transitively pulls in optional SDKs for Anthropic, OpenAI, Azure, Google Vertex, Groq, Mistral, Cerebras, DeepSeek, Perplexity, xAI, TogetherAI, Ollama, plus LangChain, OpenTelemetry, puppeteer-core, and patchright-core. This large surface increases supply chain compromise risk significantly.

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened and read at auditd timestamps 1771917275.591 (pre-install) and 1771917292.565 (post-install). The two-timepoint pattern is consistent with the audit framework's baseline comparison mechanism. Files were accessed read-only (CLOSE_NOWRITE) with no modification attempts, and no network traffic carrying canary content was observed. Canary integrity check confirmed all files intact.

package.json contains no preinstall, postinstall, prepare, or install npm lifecycle scripts. The only custom script is 'dedication' which must be explicitly invoked via 'npm run dedication'.

The skill repository contains no .githooks/ directory, .gitattributes smudge/clean filter configurations, .gitmodules pointing to external repositories, or symlinks targeting paths outside the skill directory. Installation is self-contained to the skill directory.