web-browser

The package/document fragment describes legitimate and useful browser automation functionality but relies on runtime download-and-execute patterns (npx) and broad execution permissions that create moderate-to-high supply-chain and operational risks. The main threats are: execution of malicious or typosquatted npm packages, transitive dependency compromise, and accidental capture/exfiltration of credentials or scraped data. Recommended mitigations before use: pin package names to specific vetted versions, vendor or preinstall required CLI tools instead of using npx, run automation in isolated environments (containers, VMs) with restricted network egress and limited filesystem access, avoid entering real credentials unless the runtime integrity is verified, audit any sub-skill/template code and transitive dependencies, and add provenance checks (checksums/signatures) and logging redaction policies.