OrchestKit security wrapper for browser automation. Adds URL blocklisting, rate limiting, robots.txt enforcement, and ethical scraping guardrails on top of the upstream agent-browser skill. Use when automating browser workflows that need safety guardrails.

Reference medium

Auto-activated — this skill loads automatically when Claude detects matching context.

Connections

Used by

Brainstorm Verify

Agent

Web Research Analyst

Web Research Workflow Audit Full Distributed Systems Expect Mcp Patterns

Browser Tools — Security Wrapper

OrchestKit security wrapper for agent-browser. For command reference and usage patterns, use the upstream agent-browser skill directly. This skill adds safety guardrails only.

Command docs: Refer to the upstream agent-browser skill for the full command reference (50+ commands: interaction, wait, capture, extraction, storage, semantic locators, tabs, debug, mobile, network, cookies, state, vault).

Decision Tree

# Fallback decision tree for web content
# 1. Try WebFetch first (fast, no browser overhead)
# 2. If empty/partial -> Try Tavily extract/crawl
# 3. If SPA or interactive -> use agent-browser
# 4. If login required -> authentication flow + state save
# 5. If dynamic -> wait @element or wait --text

Local Dev URLs

Use Portless (npm i -g portless) for stable local dev URLs instead of guessing ports. When Portless is running, navigate to myapp.localhost:1355 instead of localhost:3000. Our safety hook already allows *.localhost subdomains via ORCHESTKIT_AGENT_BROWSER_ALLOW_LOCALHOST.

# With Portless: stable, named URLs
agent-browser open "http://myapp.localhost:1355"

# Without: fragile port guessing
agent-browser open "http://localhost:3000"  # which app is this?

What's New (v0.17 → v0.22.2)

Breaking changes — update scripts now:

--full / -f moved from global to command-level (v0.21): use screenshot --full, NOT --full screenshot
Auth encryption format changed (v0.17): saved auth states from v0.16.x may not load
Auto-dialog dismissal (v0.23.1): alert/beforeunload dialogs are auto-dismissed by default, opt out with --no-auto-dialog

New commands:

Command	Version	Security Note
`clipboard read/write/copy/paste`	v0.19	`read` accesses host clipboard — hook warns
`inspect` / `get cdp-url`	v0.18	Opens local DevTools proxy — hook warns
`batch --json [--bail]`	v0.21	Batch execute commands from stdin
`network har start/stop [file]`	v0.21	HAR captures auth tokens — hook warns, treat output as sensitive
`network request <id>`	v0.22	View full request/response detail
`network requests --type/--method/--status`	v0.22	Filter network requests
`dialog dismiss` / `dialog status`	v0.17/v0.22	Dismiss or check browser dialogs
`upgrade`	v0.21.1	Self-update (auto-detects npm/Homebrew/Cargo)

New flags:

Flag	Scope	Version
`--engine lightpanda`	global	v0.17
`--screenshot-dir/quality/format`	screenshot	v0.19
`--provider browserless`	global	v0.19
`--idle-timeout <duration>`	global	v0.20.14
`--user-data-dir <path>`	Chrome	v0.21
`set viewport W H [scale]`	viewport	v0.17.1 (retina)

Platform support: Brave auto-discovery (v0.20.7), Alpine Linux musl (v0.20.2), Lightpanda engine (v0.17), Browserless.io provider (v0.19), cross-origin iframe traversal (v0.22).

Performance (v0.20): 99x smaller install (710→7 MB), 18x less memory (143→8 MB), 1.6x faster cold start.

Safety Guardrails (7 rules + 11-check hook)

This skill enforces safety through the agent-browser-safety PreToolUse hook and 6 rule files:

Hook: agent-browser-safety

The hook intercepts all agent-browser Bash commands and enforces:

Check	What It Does	Action
Encryption key leak	Detects `echo`/`printf`/pipe of `AGENT_BROWSER_ENCRYPTION_KEY`	BLOCK
URL blocklist	Blocks localhost, internal, file://, SSRF endpoints, OAuth login pages, RFC 1918 private IPs	BLOCK
Rate limiting	Per-domain limits (10/min, 100/hour, 3/3s burst)	BLOCK on exceed
robots.txt	Fetches and caches robots.txt, blocks disallowed paths	BLOCK
Sensitive actions	Detects delete/remove clicks, password fills, payment submissions	WARN + native confirmation
Network routes	Validates `network route` target URLs against blocklist	BLOCK
User-agent spoofing	Warns when `--user-agent` flag is used	WARN
File access	Warns when `--allow-file-access` flag is used	WARN
DevTools inspect	`inspect` / `get cdp-url` opens local CDP proxy — new attack surface (v0.18+)	WARN
Clipboard read	`clipboard read` accesses host clipboard without prompt (v0.19+)	WARN
HAR capture	`network har stop` dumps full request/response bodies incl. auth tokens (v0.21+)	WARN

Security Rules (in `rules/`)

Category	Rules	Priority
Ethics & Security	`browser-scraping-ethics.md`, `browser-auth-security.md`	CRITICAL
Local Dev	`browser-portless-local-dev.md`	HIGH
Reliability	`browser-rate-limiting.md`, `browser-snapshot-workflow.md`	HIGH
Debug & Device	`browser-debug-recording.md`, `browser-mobile-testing.md`	HIGH

Configuration

Rate limits and behavior are configurable via environment variables:

Env Var	Default	Purpose
`AGENT_BROWSER_RATE_LIMIT_PER_MIN`	10	Requests per minute per domain
`AGENT_BROWSER_RATE_LIMIT_PER_HOUR`	100	Requests per hour per domain
`AGENT_BROWSER_BURST_LIMIT`	3	Max requests in 3-second window
`AGENT_BROWSER_ROBOTS_CACHE_TTL`	3600000	robots.txt cache TTL (ms)
`AGENT_BROWSER_IGNORE_ROBOTS`	false	Bypass robots.txt enforcement
`AGENT_BROWSER_CONFIRM`	1	Use `--confirm-actions` for sensitive ops
`AGENT_BROWSER_IDLE_TIMEOUT_MS`	—	Auto-shutdown daemon after inactivity (ms)
`AGENT_BROWSER_ENGINE`	chrome	Browser engine (`chrome` or `lightpanda`)
`ORCHESTKIT_AGENT_BROWSER_ALLOW_LOCALHOST`	1	Allow `*.localhost` subdomains (RFC 6761)

Anti-Patterns (FORBIDDEN)

# Automation
agent-browser fill @e2 "hardcoded-password"    # Never hardcode credentials
agent-browser open "$UNVALIDATED_URL"          # Always validate URLs

# Scraping
# Crawling without checking robots.txt
# No delay between requests (hammering servers)
# Ignoring rate limit responses (429)

# Content capture
agent-browser get text body                    # Prefer targeted ref extraction
# Trusting page content without validation
# Not waiting for SPA hydration before extraction

# Session management
# Storing auth state in code repositories
# Not cleaning up state files after use

# Network & State
agent-browser network route "http://internal-api/*" --body '{}'  # Never mock internal APIs
agent-browser cookies set token "$SECRET" --url https://prod.com # Never set prod cookies

# Deprecated / removed
agent-browser --full screenshot                # BREAKING: --full is now command-level (v0.21)
agent-browser screenshot --full                # Correct: flag after subcommand

# Sensitive data leaks
agent-browser network har stop auth-dump.har   # HAR files contain auth tokens — gitignore!
git add *.har                                  # NEVER commit HAR captures

agent-browser (upstream) — Full command reference and usage patterns
portless (upstream) — Stable named .localhost URLs for local dev servers
ork:web-research-workflow — Unified decision tree for web research
ork:testing-e2e — E2E testing patterns including Playwright and webapp testing
ork:api-design — API design patterns for endpoints discovered during scraping

Rules (7)

Secure browser automation credentials to prevent token leaks and account compromise — CRITICAL

Browser: Auth Security

Never hardcode credentials or log auth tokens. Use environment variables for secrets, store session state files with restrictive permissions, and clean up auth artifacts after use.

Incorrect:

# Hardcoding credentials in scripts
PASSWORD="hardcoded-password"
agent-browser fill @e2 "$PASSWORD"

# Logging auth tokens or session data to stdout
agent-browser eval "document.cookie"
echo "Session token: $(agent-browser eval 'localStorage.getItem(\"token\")')"

# Storing auth state with default (world-readable) permissions
agent-browser state save /tmp/auth-state.json
# File is now readable by any user on the system

# No cleanup — state file persists indefinitely

Correct:

# Use environment variables for all credentials
agent-browser open https://app.example.com/login
agent-browser wait --load networkidle
agent-browser snapshot -i

# Fill credentials from env vars (never hardcoded)
agent-browser fill @e1 "$APP_EMAIL"
agent-browser fill @e2 "$APP_PASSWORD"
agent-browser click @e3

agent-browser wait --url "**/dashboard"

# Store state files securely with restrictive permissions
STATE_FILE="$HOME/.config/agent-browser/auth-state.json"
mkdir -p "$(dirname "$STATE_FILE")"

agent-browser state save "$STATE_FILE"
chmod 600 "$STATE_FILE"  # Owner read/write only

# Clean up state files when done
trap 'rm -f "$STATE_FILE"' EXIT

# For 2FA/MFA, use headed mode; handle session expiry gracefully
AGENT_BROWSER_HEADED=1 agent-browser open https://secure-site.com/login
echo "Please complete authentication manually..."
agent-browser wait --url "**/authenticated"
agent-browser state save "$STATE_FILE"
chmod 600 "$STATE_FILE"

# Detect expired sessions and re-authenticate
CURRENT_URL=$(agent-browser get url)
[[ "$CURRENT_URL" == *"/login"* ]] && rm -f "$STATE_FILE"  # Re-trigger login

# Cookie-based session setup (v0.13) — faster than login flows
agent-browser cookies set session_id "$SESSION_TOKEN" \
  --url https://app.example.com \
  --httpOnly --secure
agent-browser open https://app.example.com/dashboard
agent-browser wait --load networkidle

# Verify cookie-based auth worked
CURRENT_URL=$(agent-browser get url)
[[ "$CURRENT_URL" == *"/dashboard"* ]] && echo "Cookie auth successful"

# Token management via storage
agent-browser storage local "authToken"              # Read current token
agent-browser storage local set "authToken" "$TOKEN" # Inject token
agent-browser storage session                        # Check session data
agent-browser storage local clear                    # Cleanup after test

# Cookie management and debugging
agent-browser cookies                    # Read all cookies (debug auth issues)
agent-browser cookies clear              # Clear all cookies (force re-auth)

# Human-in-the-loop for admin actions
agent-browser --confirm-interactive open https://admin.example.com
# Terminal will prompt for confirmation on each action

Key rules:

Never hardcode passwords, API keys, or tokens in scripts -- always use environment variables
Never log, echo, or print auth tokens, cookies, or session data to stdout/stderr
Set chmod 600 on all saved state files immediately after creation
Store state files in a secure directory ($HOME/.config/) rather than world-readable /tmp/
Use trap 'rm -f "$STATE_FILE"' EXIT to clean up auth artifacts when the script exits
Use headed mode (AGENT_BROWSER_HEADED=1) for 2FA/MFA flows that require manual interaction
Use cookies set with --httpOnly --secure flags for cookie-based session injection — faster than replaying login flows
Always use --session-name (not --session) for named session persistence
Use cookies to debug auth failures before re-logging in
Use storage local clear and cookies clear in cleanup scripts to force fresh authentication
Use --confirm-interactive for admin panel automation to require manual confirmation on actions
Use vault store/vault load (v0.15) for encrypted credential persistence — requires AGENT_BROWSER_ENCRYPTION_KEY
Never echo, log, or pipe AGENT_BROWSER_ENCRYPTION_KEY — treat it like a password
Use --confirm-actions (v0.15) for native CLI-level action gating on sensitive operations
Prefer vault over state save for auth data — vault encrypts at rest, state files are plaintext JSON
v0.17 breaking: auth encryption format changed — saved auth states from v0.16.x native mode may not load; re-authenticate and re-save
v0.18+: KERNEL_API_KEY is now optional (was required) — remove if not using external credential injection
v0.21+: HAR captures contain auth tokens — never commit .har files, add to .gitignore
v0.17+: auth cookies now persist on browser close — clear cookies explicitly if you need a fresh session

Reference: references/auth-flows.md (Security Considerations, Secure State Files)

Use browser debug and recording tools safely to avoid leaking sensitive data in traces — HIGH

Browser: Debug & Recording

Use trace, profiler, and record commands for debugging and bug reports, but always review output files before sharing — they may contain sensitive data (cookies, tokens, form inputs).

Incorrect:

# Recording a login flow — captures credentials in video/trace
agent-browser trace start /tmp/trace.zip
agent-browser open https://app.example.com/login
agent-browser fill @e1 "$EMAIL"
agent-browser fill @e2 "$PASSWORD"
agent-browser click @e3
agent-browser trace stop
# /tmp/trace.zip now contains your credentials in cleartext

# Dumping console output without filtering
agent-browser console > /tmp/console.log
# May contain auth tokens, API keys logged by the app

# Sharing errors log without review
agent-browser errors > /tmp/errors.log
git add /tmp/errors.log  # Could contain PII in stack traces

Correct:

# Record AFTER authentication (load saved state first)
agent-browser vault load my-session
agent-browser trace start /tmp/trace.zip
agent-browser open https://app.example.com/dashboard
# ... perform actions to reproduce bug ...
agent-browser trace stop
# Trace captures only post-auth interactions

# Review console output before saving
agent-browser console  # Review in terminal first
# Only redirect to file after confirming no sensitive data

# Profiler for performance debugging (safe — no credentials)
agent-browser profiler start
agent-browser open https://app.example.com/slow-page
agent-browser wait --load networkidle
agent-browser profiler stop /tmp/profile.json
# Profile contains JS execution data, not credentials

# Record for visual bug reports (after auth)
agent-browser record start /tmp/bug-repro.webm
agent-browser click @e5
agent-browser wait --text "Error"
agent-browser record stop

HAR Network Capture (v0.21+)

HAR files capture full request/response bodies including auth tokens, cookies, and POST payloads. Treat them as sensitive.

Incorrect:

agent-browser network har start
agent-browser open https://app.example.com/login
agent-browser fill @e1 "$EMAIL" && agent-browser fill @e2 "$PASSWORD"
agent-browser network har stop /tmp/full-capture.har
git add /tmp/full-capture.har  # Contains credentials in cleartext!

Correct:

# Start HAR AFTER authentication
agent-browser vault load my-session
agent-browser network har start
agent-browser open https://app.example.com/api-page
# ... perform actions to debug ...
agent-browser network har stop /tmp/api-debug.har
# Add *.har to .gitignore — never commit

DevTools Inspect (v0.18+)

The inspect command opens a local proxy to Chrome DevTools. This is a new attack surface in shared/CI environments.

agent-browser inspect          # Opens DevTools proxy on local port
agent-browser get cdp-url      # Returns CDP WebSocket URL for external tools

Clipboard Access (v0.19+)

Clipboard commands access the host clipboard without user interaction — relevant for sandboxed environments.

agent-browser clipboard read   # Reads host clipboard contents
agent-browser clipboard write "text"
agent-browser clipboard copy   # Copy current selection
agent-browser clipboard paste  # Paste clipboard contents

Key rules:

Never trace or record login flows — credentials appear in cleartext in output files
Load auth state via vault load before starting a trace/recording session
Review console and errors output in terminal before redirecting to files
Never commit trace, recording, profile, or HAR files to git repositories
Use profiler for performance analysis — it captures execution timing, not credentials
Store debug output files in /tmp/ or ephemeral directories, not project directories
Scrub trace files before sharing: remove cookies, localStorage, and network payloads
HAR files contain auth tokens — add *.har to .gitignore, treat as sensitive
inspect opens DevTools to local network — only use on trusted machines, not CI/shared envs
clipboard read accesses host clipboard without prompt — be aware in sandboxed contexts

Reference: references/debug-tools.md (Trace Safety, Recording Best Practices)

Scope mobile browser testing to verified devices and emulation profiles — HIGH

Browser: Mobile Testing

Use device emulation and iOS Simulator connection for mobile testing, but always verify the device context is active and scope tests to target devices.

Incorrect:

# Assuming device emulation without verifying viewport
agent-browser --device "iPhone 15" open https://app.example.com
agent-browser screenshot /tmp/mobile.png
# Did not verify viewport dimensions — may have fallen back to desktop

# Testing "mobile" without actual device emulation
agent-browser open https://app.example.com
agent-browser eval "window.innerWidth"  # Still 1280px — not mobile!

# Connecting to iOS Simulator without checking it's running
agent-browser --ios-simulator open https://app.example.com
# Fails silently or connects to wrong simulator instance

Correct:

# Verify device emulation is active
agent-browser --device "iPhone 15" open https://app.example.com
agent-browser wait --load networkidle
agent-browser eval "JSON.stringify({
  width: window.innerWidth,
  height: window.innerHeight,
  userAgent: navigator.userAgent
})"
# Confirm: width=390, height=844, userAgent contains "iPhone"

# Test dark mode rendering
agent-browser --device "iPhone 15" --color-scheme dark open https://app.example.com
agent-browser screenshot /tmp/mobile-dark.png
agent-browser --color-scheme light open https://app.example.com
agent-browser screenshot /tmp/mobile-light.png

# iOS Simulator — verify simulator is booted first
xcrun simctl list devices | grep "Booted"
agent-browser --ios-simulator open https://app.example.com
agent-browser wait --load networkidle
agent-browser snapshot -i

# Multi-device comparison
for device in "iPhone 15" "iPhone SE" "iPad Pro 11"; do
  agent-browser --device "$device" open https://app.example.com
  agent-browser wait --load networkidle
  agent-browser screenshot "/tmp/test-${device// /-}.png"
done

Key rules:

Always verify viewport dimensions after --device to confirm emulation is active
Use --color-scheme dark and --color-scheme light to test both modes
Check xcrun simctl list devices | grep Booted before using --ios-simulator
Test a minimum of 3 device profiles: small phone, large phone, tablet
Use diff screenshot to compare rendering across devices
Do not rely solely on emulation — iOS Simulator provides higher-fidelity results for iOS-specific issues

Reference: references/mobile-testing.md (Device Emulation, iOS Simulator)

Use Portless named URLs instead of raw port numbers for local dev — HIGH

Browser: Portless Local Dev URLs

Use Portless named .localhost:1355 URLs instead of guessing port numbers. Named URLs are stable across restarts, self-documenting, and eliminate the #1 source of local dev connection failures.

Incorrect:

# Guessing ports — fragile, ambiguous, breaks across restarts
agent-browser open "http://localhost:3000"        # which app is this?
agent-browser open "http://localhost:8080"        # API? frontend? storybook?
curl http://localhost:5173/api/health             # port changed after restart

# Hardcoding ports in reproduction steps
agent-browser screenshot /tmp/bug.png             # of which service?
agent-browser network log                         # on which port?

Correct:

# Discover services first
portless list
# api    → api.localhost:1355    (port 8080)
# app    → app.localhost:1355    (port 3000)
# docs   → docs.localhost:1355   (port 3001)

# Use named URLs — stable, self-documenting
agent-browser open "http://app.localhost:1355"
agent-browser screenshot /tmp/app-bug.png

# API calls with named URLs
curl http://api.localhost:1355/api/health

# Visual debugging with agent-browser + Portless
agent-browser open "http://app.localhost:1355/settings"
agent-browser console                             # check JS errors
agent-browser network log                         # inspect API calls
agent-browser screenshot /tmp/settings-broken.png # evidence for report

# E2E testing with stable base URL
PLAYWRIGHT_BASE_URL="http://app.localhost:1355" npx playwright test

Portless v0.5+ Features

# portless run — auto-infer project name, inject --port flag
portless run npm run dev
# Starts dev server AND assigns it a named URL automatically

# portless alias — assign named URLs to existing services (not started by portless)
portless alias redis 6379

# portless get — retrieve the URL for a named service
portless get app  # → http://app.localhost:1355

# PORTLESS_URL env var — injected automatically in portless run
# Your app can read process.env.PORTLESS_URL to know its own named URL

# HTTPS support (v0.4+) — auto-generated TLS certs
# Portless can serve HTTPS on port 443 with HTTP/2

Key rules:

Always run portless list before constructing any localhost URL
Use *.localhost:1355 URLs in all agent-browser commands, curl calls, and test configs
Include the Portless service name in screenshots and debug reports for clarity
Prefer portless run (v0.5+) over manual port management — it injects --port and PORTLESS_URL automatically
Use portless alias (v0.5+) for services not started by portless (databases, queues)
Use portless get <name> (v0.6+) to programmatically retrieve URLs in scripts
If Portless is not installed, fall back to lsof -iTCP -sTCP:LISTEN -nP to discover ports
The OrchestKit safety hook allows *.localhost subdomains via ORCHESTKIT_AGENT_BROWSER_ALLOW_LOCALHOST
Install Portless globally: npm i -g portless

Throttle browser requests to avoid 429 blocks, IP bans, and unreliable results — HIGH

Browser: Rate Limiting

Add delays between requests, implement exponential backoff on rate-limit responses (429/503), and limit concurrent connections to avoid overwhelming target servers.

Incorrect:

# Rapid-fire requests with no delay
for url in "${URLS[@]}"; do
    agent-browser open "$url"
    agent-browser get text body > "/tmp/$(basename "$url").txt"
done
# No delay, no wait, no rate-limit detection — will trigger 429 blocks

Correct:

# Adaptive rate limiting with exponential backoff
DELAY=1

for url in "${URLS[@]}"; do
    agent-browser open "$url"
    agent-browser wait --load networkidle

    STATUS=$(agent-browser eval "
        const h1 = document.querySelector('h1');
        if (h1 && (h1.innerText.includes('429') || h1.innerText.includes('Too Many'))) {
            'rate-limited';
        } else if (document.title.includes('Access Denied')) {
            'blocked';
        } else { 'ok'; }
    ")

    case "$STATUS" in
        "rate-limited")
            DELAY=$((DELAY * 2)); sleep $DELAY; continue ;;
        "blocked")
            echo "Access denied: $url"; continue ;;
        *)
            agent-browser get text body > "/tmp/$(basename "$url").txt"
            DELAY=1 ;;  # Reset delay on success
    esac
    sleep $DELAY
done

# Retry with exponential backoff (max 3 attempts)
fetch_with_retry() {
    local url="$1" output="$2" max_retries=3 retry=0 delay=1
    while [[ $retry -lt $max_retries ]]; do
        if agent-browser open "$url" 2>/dev/null; then
            agent-browser wait --load networkidle
            agent-browser get text body > "$output"
            [[ -s "$output" ]] && return 0
        fi
        ((retry++))
        echo "Retry $retry/$max_retries for: $url (waiting ${delay}s)"
        sleep $delay
        delay=$((delay * 2))
    done
    echo "Failed after $max_retries retries: $url" >> /tmp/failed-urls.txt
    return 1
}

# Block non-essential traffic to reduce request count (v0.13)
# Analytics, tracking, and ad requests waste rate-limit budget
agent-browser network route "*google-analytics*" --abort
agent-browser network route "*facebook.net/tr*" --abort
agent-browser network route "*doubleclick.net*" --abort
agent-browser network route "*hotjar*" --abort

# Extract content without tracker overhead
agent-browser open "$url"
agent-browser wait --load networkidle
agent-browser get text @e5

# Clean up routes after extraction
agent-browser network unroute

# Clear tracked request log between test runs
agent-browser network requests --clear    # Reset tracked request log

Key rules:

Always add at least a 1-second delay between consecutive page requests
Detect rate-limit responses (429, "Too Many Requests", "Access Denied") and back off exponentially
Reset the backoff delay to baseline after a successful request
Use a retry function with a max retry count and exponential backoff for failed pages
Log failed URLs to a separate file instead of silently skipping them
Block analytics and tracking scripts with network route --abort to preserve rate-limit budget and speed up page loads
Always call network unroute after extraction to clean up intercepts
Use network requests --clear between test runs to avoid stale request data
Use --allowed-domains (v0.16) to restrict navigation to approved domains — prevents accidental crawl escapes
Use --action-policy <path> (v0.16) to enforce a JSON policy file governing which actions are permitted
Use --max-output <bytes> (v0.16) to cap command output size — prevents context window blowup from large pages

Reference: references/anti-bot-handling.md (Rate Limiting, Adaptive Rate Limiting, Retry Logic)

Respect robots.txt and terms of service to avoid legal issues and IP bans — CRITICAL

Browser: Scraping Ethics

Always scrape responsibly: check robots.txt, comply with Terms of Service, identify yourself as an automated agent, and never scrape personal or auth-gated data without explicit permission.

Incorrect:

# Ignoring robots.txt entirely
agent-browser open https://example.com/private-api/users
agent-browser get text body > /tmp/users.txt

# Spoofing user-agent to appear as a real browser
agent-browser eval "
  Object.defineProperty(navigator, 'userAgent', {
    get: () => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/120'
  });
"

# Scraping auth-gated content without permission
agent-browser state load /tmp/stolen-session.json
agent-browser open https://app.example.com/admin/user-data
agent-browser get text body > /tmp/scraped-pii.txt

Correct:

# 1. Check robots.txt BEFORE crawling any site
ROBOTS=$(curl -s "https://docs.example.com/robots.txt")

if echo "$ROBOTS" | grep -q "Disallow: /docs"; then
    echo "Crawling /docs is disallowed by robots.txt"
    exit 1
fi

# 2. Parse and respect crawl-delay directives
CRAWL_DELAY=$(echo "$ROBOTS" | grep -i "Crawl-delay" | head -1 | awk '{print $2}')
DELAY=${CRAWL_DELAY:-1}  # Default to 1 second if not specified

# 3. Use an identifiable user-agent string
# (agent-browser identifies itself by default — do NOT override it)

# 4. Only scrape publicly accessible, non-personal content
agent-browser open "https://docs.example.com/public/guide"
agent-browser wait --load networkidle
agent-browser get text @e5  # Extract specific content area, not full page

Key rules:

Always check robots.txt before crawling any domain and honor Disallow directives
Respect Crawl-delay values; default to at least 1 second between requests
Never spoof user-agent strings to bypass bot detection -- identify as an automated tool
Do not scrape personal data, auth-gated content, or content behind paywalls without explicit authorization
Comply with the site's Terms of Service; when in doubt, do not scrape
Use targeted extraction (get text @e#) instead of full-page dumps to minimize data collection
Use --user-agent (v0.16) only to identify your automation — never to spoof a real browser identity
Use --max-output (v0.16) to limit extracted content size and reduce data over-collection
Respect --allowed-domains (v0.16) to scope crawls — prevents accidentally following links to unrelated sites

Reference: references/anti-bot-handling.md (Respectful Scraping Principles, Check robots.txt)

Wait and snapshot browser content to avoid empty results and bloated page dumps — HIGH

Browser: Snapshot Workflow

Always follow the wait-then-snapshot-then-extract pattern: wait for the page to fully load, take an accessibility snapshot to discover element refs, then extract targeted content using those refs. Re-snapshot after any navigation or significant DOM change.

Incorrect:

# Extracting immediately without waiting — content may be empty or partial
agent-browser open https://docs.example.com/article
agent-browser get text body > /tmp/article.txt

# Using stale refs after navigating — @e5 refers to the OLD page
agent-browser snapshot -i
agent-browser click @e3
agent-browser get text @e5

# Full-page dump captures nav, header, footer, ads — massive noise
agent-browser wait --load networkidle
agent-browser get text body > /tmp/article.txt

Correct:

# 1. Navigate and wait for full page load
agent-browser open https://docs.example.com/article
agent-browser wait --load networkidle

# 2. Snapshot to discover element refs (93% less context than full DOM)
agent-browser snapshot -i
# Output: @e1 [nav] "Navigation", @e5 [article] "Main Content Area"

# 3. Extract targeted content using refs
agent-browser get text @e5  # Only the article, not the full page

# Re-snapshot after navigation or DOM changes
agent-browser snapshot -i
agent-browser fill @e1 "search query"
agent-browser click @e2

agent-browser wait --load networkidle
agent-browser snapshot -i          # NEW refs after page change
agent-browser get text @e1         # Extract from updated page

# Extraction preference order (lowest to highest context cost):
agent-browser get text @e5           # 1. Targeted ref (best)
agent-browser get html @e5           # 2. HTML when formatting matters
agent-browser eval "JSON.stringify(  # 3. Custom JS for structured data
  Array.from(document.querySelectorAll('h2')).map(h => h.innerText))"
agent-browser get text body          # 4. Full body (last resort)

Key rules:

Always wait --load networkidle after open before any extraction or snapshotting
Always snapshot -i before interacting with elements -- refs are only valid within their snapshot
Re-snapshot after every navigation, form submission, or significant DOM change
Use get text @e# for targeted extraction instead of get text body -- 93% less context
Prefer semantic wait strategies (--text, --url, @e#) over fixed wait delays
Verify extracted content is non-empty before saving to avoid capturing blank pages

Enhanced Screenshot Commands (v0.19+)

Capture full pages and annotated snapshots for visual debugging:

# Full page and annotated capture (NOTE: --full is command-level since v0.21)
agent-browser screenshot --full /tmp/full-page.png   # Entire scrollable page
agent-browser screenshot --annotate                  # Numbered element labels for debugging
agent-browser screenshot --screenshot-dir /tmp/shots --screenshot-format webp --screenshot-quality 80
agent-browser pdf /tmp/page.pdf                      # Save as PDF

iframe Traversal (v0.21+)

Snapshots and interactions now traverse into iframe content automatically. Cross-origin iframes are supported since v0.22 via Target.setAutoAttach.

# v0.21+: iframes included in snapshot automatically
agent-browser snapshot -i
# Output includes both parent page refs AND iframe content refs

# Pre-v0.21: manual iframe targeting required
agent-browser frame @e5        # Enter specific iframe
agent-browser snapshot -i      # Snapshot inside iframe
agent-browser frame main       # Return to main frame

Batch Commands (v0.21+)

Execute multiple commands in sequence from stdin:

# Pipe JSON array of commands
echo '[{"command":"open","args":["https://example.com"]},{"command":"screenshot","args":["/tmp/shot.png"]}]' | agent-browser batch --json

# Stop on first failure
echo '[...]' | agent-browser batch --json --bail

Interaction with Element Refs

After snapshot -i, use @refs for precise interaction patterns:

# Correct: targeted interaction
agent-browser snapshot -i
agent-browser fill @e3 "search query"
agent-browser click @e5
agent-browser select @e7 "Category"
agent-browser hover @e2                  # Trigger dropdown
agent-browser scroll down 500            # Load more content
agent-browser scrollintoview @e15        # Navigate to element
agent-browser upload @e10 ./file.pdf     # File upload
agent-browser drag @e1 @e8              # Drag and drop

# Keyboard interaction
agent-browser press Enter                # Submit
agent-browser press Tab                  # Navigate
agent-browser keyboard type "query"      # Type without selector

Storage in Snapshot Workflow

Read and debug page state during snapshots:

# Read page state
agent-browser storage local              # Check localStorage
agent-browser storage session            # Check sessionStorage

Extended Wait Commands

Add semantic waits beyond --load patterns:

# Wait for custom conditions
agent-browser wait --fn "window.loaded"  # Custom JS condition

Diff-Based Verification (v0.13+)

Replace manual "snapshot → act → snapshot → eyeball" patterns with native diff commands for verifiable, regression-free automation.

Incorrect: Manual before/after comparison

agent-browser snapshot -i > /tmp/before.txt
agent-browser click @e3
agent-browser snapshot -i > /tmp/after.txt
diff /tmp/before.txt /tmp/after.txt  # Manual, fragile

Correct: Native diff verification

agent-browser snapshot -i            # Captures baseline automatically
agent-browser click @e3
agent-browser wait --load networkidle
agent-browser diff snapshot          # Shows +/- changes like git diff

Visual regression testing:

# Capture baseline for regression tests
agent-browser screenshot /tmp/baseline.png

# Make CSS/component changes...

# Verify visual changes
agent-browser diff screenshot --baseline /tmp/baseline.png
# Output: 2.3% pixels changed — highlights differences in red

Key rules for diff commands:

Use diff snapshot after every action to verify intended effect
Save baselines for regression testing: agent-browser snapshot -i > baseline.txt
Use diff screenshot for visual regression — anything >5% mismatch needs investigation
Use diff url to compare staging vs production pages side-by-side
Diff output uses git-style +/- for a11y trees and pixel counts for visual diffs
Use find "text" (v0.16) as an alternative to snapshot -i when you know the element's visible text or label
Use find --role button "Submit" to locate elements by ARIA role + text — more resilient than @ref numbers
Use highlight @e1 (v0.16) to visually mark elements during debugging — clear with highlight --clear
Use screenshot --annotate for numbered element labels that correspond to @ref identifiers
v0.21+: iframes are traversed automatically in snapshots — no need for frame @e1 first
v0.21 breaking: --full is now command-level, not global — use screenshot --full, not --full screenshot
v0.23.1: alert/beforeunload dialogs are auto-dismissed by default — opt out with --no-auto-dialog

Reference: references/page-interaction.md (Snapshot + Refs), references/content-extraction.md (Extraction Methods)

References (5)

Upstream Dogfood

Dogfood

Systematically explore a web application, find issues, and produce a report with full reproduction evidence for every finding.

Setup

Only the Target URL is required. Everything else has sensible defaults -- use them unless the user explicitly provides an override.

Parameter	Default	Example override
Target URL	(required)	`vercel.com`, `http://localhost:3000`
Session name	Slugified domain (e.g., `vercel.com` -> `vercel-com`)	`--session my-session`
Output directory	`./dogfood-output/`	`Output directory: /tmp/qa`
Scope	Full app	`Focus on the billing page`
Authentication	None	`Sign in to user@example.com`

If the user says something like "dogfood vercel.com", start immediately with defaults. Do not ask clarifying questions unless authentication is mentioned but credentials are missing.

Always use agent-browser directly -- never npx agent-browser. The direct binary uses the fast Rust client. npx routes through Node.js and is significantly slower.

Workflow

1. Initialize    Set up session, output dirs, report file
2. Authenticate  Sign in if needed, save state
3. Orient        Navigate to starting point, take initial snapshot
4. Explore       Systematically visit pages and test features
5. Document      Screenshot + record each issue as found
6. Wrap up       Update summary counts, close session

1. Initialize

mkdir -p {OUTPUT_DIR}/screenshots {OUTPUT_DIR}/videos

Copy the report template into the output directory and fill in the header fields:

cp {SKILL_DIR}/templates/dogfood-report-template.md {OUTPUT_DIR}/report.md

Start a named session:

agent-browser --session {SESSION} open {TARGET_URL}
agent-browser --session {SESSION} wait --load networkidle

2. Authenticate

If the app requires login:

agent-browser --session {SESSION} snapshot -i
# Identify login form refs, fill credentials
agent-browser --session {SESSION} fill @e1 "{EMAIL}"
agent-browser --session {SESSION} fill @e2 "{PASSWORD}"
agent-browser --session {SESSION} click @e3
agent-browser --session {SESSION} wait --load networkidle

For OTP/email codes: ask the user, wait for their response, then enter the code.

After successful login, save state for potential reuse:

agent-browser --session {SESSION} state save {OUTPUT_DIR}/auth-state.json

3. Orient

Take an initial annotated screenshot and snapshot to understand the app structure:

agent-browser --session {SESSION} screenshot --annotate {OUTPUT_DIR}/screenshots/initial.png
agent-browser --session {SESSION} snapshot -i

Identify the main navigation elements and map out the sections to visit.

4. Explore

Read references/issue-taxonomy.md for the full list of what to look for and the exploration checklist.

Strategy -- work through the app systematically:

Start from the main navigation. Visit each top-level section.
Within each section, test interactive elements: click buttons, fill forms, open dropdowns/modals.
Check edge cases: empty states, error handling, boundary inputs.
Try realistic end-to-end workflows (create, edit, delete flows).
Check the browser console for errors periodically.

At each page:

agent-browser --session {SESSION} snapshot -i
agent-browser --session {SESSION} screenshot --annotate {OUTPUT_DIR}/screenshots/{page-name}.png
agent-browser --session {SESSION} errors
agent-browser --session {SESSION} console

Use your judgment on how deep to go. Spend more time on core features and less on peripheral pages. If you find a cluster of issues in one area, investigate deeper.

5. Document Issues (Repro-First)

Steps 4 and 5 happen together -- explore and document in a single pass. When you find an issue, stop exploring and document it immediately before moving on. Do not explore the whole app first and document later.

Every issue must be reproducible. When you find something wrong, do not just note it -- prove it with evidence. The goal is that someone reading the report can see exactly what happened and replay it.

Choose the right level of evidence for the issue:

Interactive / behavioral issues (functional, ux, console errors on action)

These require user interaction to reproduce -- use full repro with video and step-by-step screenshots:

Start a repro video before reproducing:

agent-browser --session {SESSION} record start {OUTPUT_DIR}/videos/issue-{NNN}-repro.webm

Walk through the steps at human pace. Pause 1-2 seconds between actions so the video is watchable. Take a screenshot at each step:

agent-browser --session {SESSION} screenshot {OUTPUT_DIR}/screenshots/issue-{NNN}-step-1.png
sleep 1
# Perform action (click, fill, etc.)
sleep 1
agent-browser --session {SESSION} screenshot {OUTPUT_DIR}/screenshots/issue-{NNN}-step-2.png
sleep 1
# ...continue until the issue manifests

Capture the broken state. Pause so the viewer can see it, then take an annotated screenshot:

sleep 2
agent-browser --session {SESSION} screenshot --annotate {OUTPUT_DIR}/screenshots/issue-{NNN}-result.png

Stop the video:

agent-browser --session {SESSION} record stop

Write numbered repro steps in the report, each referencing its screenshot.

Static / visible-on-load issues (typos, placeholder text, clipped text, misalignment, console errors on load)

These are visible without interaction -- a single annotated screenshot is sufficient. No video, no multi-step repro:

agent-browser --session {SESSION} screenshot --annotate {OUTPUT_DIR}/screenshots/issue-{NNN}.png

Write a brief description and reference the screenshot in the report. Set Repro Video to N/A.

For all issues:

Append to the report immediately. Do not batch issues for later. Write each one as you find it so nothing is lost if the session is interrupted.
Increment the issue counter (ISSUE-001, ISSUE-002, ...).

6. Wrap Up

Aim to find 5-10 well-documented issues, then wrap up. Depth of evidence matters more than total count -- 5 issues with full repro beats 20 with vague descriptions.

After exploring:

Re-read the report and update the summary severity counts so they match the actual issues. Every ### ISSUE- block must be reflected in the totals.
Close the session:

agent-browser --session {SESSION} close

Tell the user the report is ready and summarize findings: total issues, breakdown by severity, and the most critical items.

Guidance

Repro is everything. Every issue needs proof -- but match the evidence to the issue. Interactive bugs need video and step-by-step screenshots. Static bugs (typos, placeholder text, visual glitches visible on load) only need a single annotated screenshot.
Verify reproducibility before collecting evidence. Before recording video or taking screenshots, verify the issue is reproducible with at least one retry. If it can't be reproduced consistently, it's not a valid issue.
Don't record video for static issues. A typo or clipped text doesn't benefit from a video. Save video for issues that involve user interaction, timing, or state changes.
For interactive issues, screenshot each step. Capture the before, the action, and the after -- so someone can see the full sequence.
Write repro steps that map to screenshots. Each numbered step in the report should reference its corresponding screenshot. A reader should be able to follow the steps visually without touching a browser.
Use the right snapshot command.
- snapshot -i — for finding clickable/fillable elements (buttons, inputs, links)
- snapshot (no flag) — for reading page content (text, headings, data lists)
Be thorough but use judgment. You are not following a test script -- you are exploring like a real user would. If something feels off, investigate.
Write findings incrementally. Append each issue to the report as you discover it. If the session is interrupted, findings are preserved. Never batch all issues for the end.
Never delete output files. Do not rm screenshots, videos, or the report mid-session. Do not close the session and restart. Work forward, not backward.
Never read the target app's source code. You are testing as a user, not auditing code. Do not read HTML, JS, or config files of the app under test. All findings must come from what you observe in the browser.
Check the console. Many issues are invisible in the UI but show up as JS errors or failed requests.
Test like a user, not a robot. Try common workflows end-to-end. Click things a real user would click. Enter realistic data.
Type like a human. When filling form fields during video recording, use type instead of fill -- it types character-by-character. Use fill only outside of video recording when speed matters.
Pace repro videos for humans. Add sleep 1 between actions and sleep 2 before the final result screenshot. Videos should be watchable at 1x speed -- a human reviewing the report needs to see what happened, not a blur of instant state changes.
Be efficient with commands. Batch multiple agent-browser commands in a single shell call when they are independent (e.g., agent-browser ... screenshot ... && agent-browser ... console). Use agent-browser --session \{SESSION\} scroll down 300 for scrolling -- do not use key or evaluate to scroll.

References

Reference	When to Read
references/issue-taxonomy.md	Start of session -- calibrate what to look for, severity levels, exploration checklist

Templates

Template	Purpose
templates/dogfood-report-template.md	Copy into output directory as the report file

Upstream Electron

Electron App Automation

Automate any Electron desktop app using agent-browser. Electron apps are built on Chromium and expose a Chrome DevTools Protocol (CDP) port that agent-browser can connect to, enabling the same snapshot-interact workflow used for web pages.

Core Workflow

Launch the Electron app with remote debugging enabled
Connect agent-browser to the CDP port
Snapshot to discover interactive elements
Interact using element refs
Re-snapshot after navigation or state changes

# Launch an Electron app with remote debugging
open -a "Slack" --args --remote-debugging-port=9222

# Connect agent-browser to the app
agent-browser connect 9222

# Standard workflow from here
agent-browser snapshot -i
agent-browser click @e5
agent-browser screenshot slack-desktop.png

Launching Electron Apps with CDP

Every Electron app supports the --remote-debugging-port flag since it's built into Chromium.

macOS

# Slack
open -a "Slack" --args --remote-debugging-port=9222

# VS Code
open -a "Visual Studio Code" --args --remote-debugging-port=9223

# Discord
open -a "Discord" --args --remote-debugging-port=9224

# Figma
open -a "Figma" --args --remote-debugging-port=9225

# Notion
open -a "Notion" --args --remote-debugging-port=9226

# Spotify
open -a "Spotify" --args --remote-debugging-port=9227

Linux

slack --remote-debugging-port=9222
code --remote-debugging-port=9223
discord --remote-debugging-port=9224

Windows

"C:\Users\%USERNAME%\AppData\Local\slack\slack.exe" --remote-debugging-port=9222
"C:\Users\%USERNAME%\AppData\Local\Programs\Microsoft VS Code\Code.exe" --remote-debugging-port=9223

Important: If the app is already running, quit it first, then relaunch with the flag. The --remote-debugging-port flag must be present at launch time.

Connecting

# Connect to a specific port
agent-browser connect 9222

# Or use --cdp on each command
agent-browser --cdp 9222 snapshot -i

# Auto-discover a running Chromium-based app
agent-browser --auto-connect snapshot -i

After connect, all subsequent commands target the connected app without needing --cdp.

Tab Management

Electron apps often have multiple windows or webviews. Use tab commands to list and switch between them:

# List all available targets (windows, webviews, etc.)
agent-browser tab

# Switch to a specific tab by index
agent-browser tab 2

# Switch by URL pattern
agent-browser tab --url "*settings*"

Webview Support

Electron <webview> elements are automatically discovered and can be controlled like regular pages. Webviews appear as separate targets in the tab list with type: "webview":

# Connect to running Electron app
agent-browser connect 9222

# List targets -- webviews appear alongside pages
agent-browser tab
# Example output:
#   0: [page]    Slack - Main Window     https://app.slack.com/
#   1: [webview] Embedded Content        https://example.com/widget

# Switch to a webview
agent-browser tab 1

# Interact with the webview normally
agent-browser snapshot -i
agent-browser click @e3
agent-browser screenshot webview.png

Note: Webview support works via raw CDP connection.

Common Patterns

Inspect and Navigate an App

open -a "Slack" --args --remote-debugging-port=9222
sleep 3  # Wait for app to start
agent-browser connect 9222
agent-browser snapshot -i
# Read the snapshot output to identify UI elements
agent-browser click @e10  # Navigate to a section
agent-browser snapshot -i  # Re-snapshot after navigation

Take Screenshots of Desktop Apps

agent-browser connect 9222
agent-browser screenshot app-state.png
agent-browser screenshot --full full-app.png
agent-browser screenshot --annotate annotated-app.png

Extract Data from a Desktop App

agent-browser connect 9222
agent-browser snapshot -i
agent-browser get text @e5
agent-browser snapshot --json > app-state.json

Fill Forms in Desktop Apps

agent-browser connect 9222
agent-browser snapshot -i
agent-browser fill @e3 "search query"
agent-browser press Enter
agent-browser wait 1000
agent-browser snapshot -i

Run Multiple Apps Simultaneously

Use named sessions to control multiple Electron apps at the same time:

# Connect to Slack
agent-browser --session slack connect 9222

# Connect to VS Code
agent-browser --session vscode connect 9223

# Interact with each independently
agent-browser --session slack snapshot -i
agent-browser --session vscode snapshot -i

Color Scheme

The default color scheme when connecting via CDP may be light. To preserve dark mode:

agent-browser connect 9222
agent-browser --color-scheme dark snapshot -i

Or set it globally:

AGENT_BROWSER_COLOR_SCHEME=dark agent-browser connect 9222

Troubleshooting

"Connection refused" or "Cannot connect"

Make sure the app was launched with --remote-debugging-port=NNNN
If the app was already running, quit and relaunch with the flag
Check that the port isn't in use by another process: lsof -i :9222

App launches but connect fails

Wait a few seconds after launch before connecting (sleep 3)
Some apps take time to initialize their webview

Elements not appearing in snapshot

The app may use multiple webviews. Use agent-browser tab to list targets and switch to the right one

Cannot type in input fields

Try agent-browser keyboard type "text" to type at the current focus without a selector
Some Electron apps use custom input components; use agent-browser keyboard inserttext "text" to bypass key events

Supported Apps

Any app built on Electron works, including:

Communication: Slack, Discord, Microsoft Teams, Signal, Telegram Desktop
Development: VS Code, GitHub Desktop, Postman, Insomnia
Design: Figma, Notion, Obsidian
Media: Spotify, Tidal
Productivity: Todoist, Linear, 1Password

If an app is built with Electron, it supports --remote-debugging-port and can be automated with agent-browser.

Upstream Sandbox

Browser Automation with Vercel Sandbox

Run agent-browser + headless Chrome inside ephemeral Vercel Sandbox microVMs. A Linux VM spins up on demand, executes browser commands, and shuts down. Works with any Vercel-deployed framework (Next.js, SvelteKit, Nuxt, Remix, Astro, etc.).

Dependencies

pnpm add @vercel/sandbox

The sandbox VM needs system dependencies for Chromium plus agent-browser itself. Use sandbox snapshots (below) to pre-install everything for sub-second startup.

Core Pattern

import { Sandbox } from "@vercel/sandbox";

// System libraries required by Chromium on the sandbox VM (Amazon Linux / dnf)
const CHROMIUM_SYSTEM_DEPS = [
  "nss", "nspr", "libxkbcommon", "atk", "at-spi2-atk", "at-spi2-core",
  "libXcomposite", "libXdamage", "libXrandr", "libXfixes", "libXcursor",
  "libXi", "libXtst", "libXScrnSaver", "libXext", "mesa-libgbm", "libdrm",
  "mesa-libGL", "mesa-libEGL", "cups-libs", "alsa-lib", "pango", "cairo",
  "gtk3", "dbus-libs",
];

function getSandboxCredentials() {
  if (
    process.env.VERCEL_TOKEN &&
    process.env.VERCEL_TEAM_ID &&
    process.env.VERCEL_PROJECT_ID
  ) {
    return {
      token: process.env.VERCEL_TOKEN,
      teamId: process.env.VERCEL_TEAM_ID,
      projectId: process.env.VERCEL_PROJECT_ID,
    };
  }
  return {};
}

async function withBrowser<T>(
  fn: (sandbox: InstanceType<typeof Sandbox>) => Promise<T>,
): Promise<T> {
  const snapshotId = process.env.AGENT_BROWSER_SNAPSHOT_ID;
  const credentials = getSandboxCredentials();

  const sandbox = snapshotId
    ? await Sandbox.create({
        ...credentials,
        source: { type: "snapshot", snapshotId },
        timeout: 120_000,
      })
    : await Sandbox.create({ ...credentials, runtime: "node24", timeout: 120_000 });

  if (!snapshotId) {
    await sandbox.runCommand("sh", [
      "-c",
      `sudo dnf clean all 2>&1 && sudo dnf install -y --skip-broken ${CHROMIUM_SYSTEM_DEPS.join(" ")} 2>&1 && sudo ldconfig 2>&1`,
    ]);
    await sandbox.runCommand("npm", ["install", "-g", "agent-browser"]);
    await sandbox.runCommand("npx", ["agent-browser", "install"]);
  }

  try {
    return await fn(sandbox);
  } finally {
    await sandbox.stop();
  }
}

Screenshot

The screenshot --json command saves to a file and returns the path. Read the file back as base64:

export async function screenshotUrl(url: string) {
  return withBrowser(async (sandbox) => {
    await sandbox.runCommand("agent-browser", ["open", url]);

    const titleResult = await sandbox.runCommand("agent-browser", [
      "get", "title", "--json",
    ]);
    const title = JSON.parse(await titleResult.stdout())?.data?.title || url;

    const ssResult = await sandbox.runCommand("agent-browser", [
      "screenshot", "--json",
    ]);
    const ssPath = JSON.parse(await ssResult.stdout())?.data?.path;
    const b64Result = await sandbox.runCommand("base64", ["-w", "0", ssPath]);
    const screenshot = (await b64Result.stdout()).trim();

    await sandbox.runCommand("agent-browser", ["close"]);

    return { title, screenshot };
  });
}

Accessibility Snapshot

export async function snapshotUrl(url: string) {
  return withBrowser(async (sandbox) => {
    await sandbox.runCommand("agent-browser", ["open", url]);

    const titleResult = await sandbox.runCommand("agent-browser", [
      "get", "title", "--json",
    ]);
    const title = JSON.parse(await titleResult.stdout())?.data?.title || url;

    const snapResult = await sandbox.runCommand("agent-browser", [
      "snapshot", "-i", "-c",
    ]);
    const snapshot = await snapResult.stdout();

    await sandbox.runCommand("agent-browser", ["close"]);

    return { title, snapshot };
  });
}

Multi-Step Workflows

The sandbox persists between commands, so you can run full automation sequences:

export async function fillAndSubmitForm(url: string, data: Record<string, string>) {
  return withBrowser(async (sandbox) => {
    await sandbox.runCommand("agent-browser", ["open", url]);

    const snapResult = await sandbox.runCommand("agent-browser", [
      "snapshot", "-i",
    ]);
    const snapshot = await snapResult.stdout();
    // Parse snapshot to find element refs...

    for (const [ref, value] of Object.entries(data)) {
      await sandbox.runCommand("agent-browser", ["fill", ref, value]);
    }

    await sandbox.runCommand("agent-browser", ["click", "@e5"]);
    await sandbox.runCommand("agent-browser", ["wait", "--load", "networkidle"]);

    const ssResult = await sandbox.runCommand("agent-browser", [
      "screenshot", "--json",
    ]);
    const ssPath = JSON.parse(await ssResult.stdout())?.data?.path;
    const b64Result = await sandbox.runCommand("base64", ["-w", "0", ssPath]);
    const screenshot = (await b64Result.stdout()).trim();

    await sandbox.runCommand("agent-browser", ["close"]);

    return { screenshot };
  });
}

Sandbox Snapshots (Fast Startup)

A sandbox snapshot is a saved VM image of a Vercel Sandbox with system dependencies + agent-browser + Chromium already installed. Think of it like a Docker image -- instead of installing dependencies from scratch every time, the sandbox boots from the pre-built image.

This is unrelated to agent-browser's accessibility snapshot feature (agent-browser snapshot), which dumps a page's accessibility tree. A sandbox snapshot is a Vercel infrastructure concept for fast VM startup.

Without a sandbox snapshot, each run installs system deps + agent-browser + Chromium (~30s). With one, startup is sub-second.

Creating a sandbox snapshot

The snapshot must include system dependencies (via dnf), agent-browser, and Chromium:

import { Sandbox } from "@vercel/sandbox";

const CHROMIUM_SYSTEM_DEPS = [
  "nss", "nspr", "libxkbcommon", "atk", "at-spi2-atk", "at-spi2-core",
  "libXcomposite", "libXdamage", "libXrandr", "libXfixes", "libXcursor",
  "libXi", "libXtst", "libXScrnSaver", "libXext", "mesa-libgbm", "libdrm",
  "mesa-libGL", "mesa-libEGL", "cups-libs", "alsa-lib", "pango", "cairo",
  "gtk3", "dbus-libs",
];

async function createSnapshot(): Promise<string> {
  const sandbox = await Sandbox.create({
    runtime: "node24",
    timeout: 300_000,
  });

  await sandbox.runCommand("sh", [
    "-c",
    `sudo dnf clean all 2>&1 && sudo dnf install -y --skip-broken ${CHROMIUM_SYSTEM_DEPS.join(" ")} 2>&1 && sudo ldconfig 2>&1`,
  ]);
  await sandbox.runCommand("npm", ["install", "-g", "agent-browser"]);
  await sandbox.runCommand("npx", ["agent-browser", "install"]);

  const snapshot = await sandbox.snapshot();
  return snapshot.snapshotId;
}

Run this once, then set the environment variable:

AGENT_BROWSER_SNAPSHOT_ID=snap_xxxxxxxxxxxx

A helper script is available in the demo app:

npx tsx examples/environments/scripts/create-snapshot.ts

Recommended for any production deployment using the Sandbox pattern.

Authentication

On Vercel deployments, the Sandbox SDK authenticates automatically via OIDC. For local development or explicit control, set:

VERCEL_TOKEN=<personal-access-token>
VERCEL_TEAM_ID=<team-id>
VERCEL_PROJECT_ID=<project-id>

These are spread into Sandbox.create() calls. When absent, the SDK falls back to VERCEL_OIDC_TOKEN (automatic on Vercel).

Scheduled Workflows (Cron)

Combine with Vercel Cron Jobs for recurring browser tasks:

// app/api/cron/route.ts  (or equivalent in your framework)
export async function GET() {
  const result = await withBrowser(async (sandbox) => {
    await sandbox.runCommand("agent-browser", ["open", "https://example.com/pricing"]);
    const snap = await sandbox.runCommand("agent-browser", ["snapshot", "-i", "-c"]);
    await sandbox.runCommand("agent-browser", ["close"]);
    return await snap.stdout();
  });

  // Process results, send alerts, store data...
  return Response.json({ ok: true, snapshot: result });
}

// vercel.json
{ "crons": [{ "path": "/api/cron", "schedule": "0 9 * * *" }] }

Environment Variables

Variable	Required	Description
`AGENT_BROWSER_SNAPSHOT_ID`	No (but recommended)	Pre-built sandbox snapshot ID for sub-second startup (see above)
`VERCEL_TOKEN`	No	Vercel personal access token (for local dev; OIDC is automatic on Vercel)
`VERCEL_TEAM_ID`	No	Vercel team ID (for local dev)
`VERCEL_PROJECT_ID`	No	Vercel project ID (for local dev)

Framework Examples

The pattern works identically across frameworks. The only difference is where you put the server-side code:

Framework	Server code location
Next.js	Server actions, API routes, route handlers
SvelteKit	`+page.server.ts`, `+server.ts`
Nuxt	`server/api/`, `server/routes/`
Remix	`loader`, `action` functions
Astro	`.astro` frontmatter, API routes

Example

See examples/environments/ in the agent-browser repo for a working app with the Vercel Sandbox pattern, including a sandbox snapshot creation script, streaming progress UI, and rate limiting.

Upstream Slack

Slack Automation

Interact with Slack workspaces to check messages, extract data, and automate common tasks.

Quick Start

Connect to an existing Slack browser session or open Slack:

# Connect to existing session on port 9222 (typical for already-open Slack)
agent-browser connect 9222

# Or open Slack if not already running
agent-browser open https://app.slack.com

Then take a snapshot to see what's available:

agent-browser snapshot -i

Core Workflow

Connect/Navigate: Open or connect to Slack
Snapshot: Get interactive elements with refs (@e1, @e2, etc.)
Navigate: Click tabs, expand sections, or navigate to specific channels
Extract/Interact: Read data or perform actions
Screenshot: Capture evidence of findings

# Example: Check unread channels
agent-browser connect 9222
agent-browser snapshot -i
# Look for "More unreads" button
agent-browser click @e21  # Ref for "More unreads" button
agent-browser screenshot slack-unreads.png

Common Tasks

Checking Unread Messages

# Connect to Slack
agent-browser connect 9222

# Take snapshot to locate unreads button
agent-browser snapshot -i

# Look for:
# - "More unreads" button (usually near top of sidebar)
# - "Unreads" toggle in Activity tab (shows unread count)
# - Channel names with badges/bold text indicating unreads

# Navigate to Activity tab to see all unreads in one view
agent-browser click @e14  # Activity tab (ref may vary)
agent-browser wait 1000
agent-browser screenshot activity-unreads.png

# Or check DMs tab
agent-browser click @e13  # DMs tab
agent-browser screenshot dms.png

# Or expand "More unreads" in sidebar
agent-browser click @e21  # More unreads button
agent-browser wait 500
agent-browser screenshot expanded-unreads.png

Navigating to a Channel

# Search for channel in sidebar or by name
agent-browser snapshot -i

# Look for channel name in the list (e.g., "engineering", "product-design")
# Click on the channel treeitem ref
agent-browser click @e94  # Example: engineering channel ref
agent-browser wait --load networkidle
agent-browser screenshot channel.png

Finding Messages/Threads

# Use Slack search
agent-browser snapshot -i
agent-browser click @e5  # Search button (typical ref)
agent-browser fill @e_search "keyword"
agent-browser press Enter
agent-browser wait --load networkidle
agent-browser screenshot search-results.png

Extracting Channel Information

# Get list of all visible channels
agent-browser snapshot --json > slack-snapshot.json

# Parse for channel names and metadata
# Look for treeitem elements with level=2 (sub-channels under sections)

Checking Channel Details

# Open a channel
agent-browser click @e_channel_ref
agent-browser wait 1000

# Get channel info (members, description, etc.)
agent-browser snapshot -i
agent-browser screenshot channel-details.png

# Scroll through messages
agent-browser scroll down 500
agent-browser screenshot channel-messages.png

Taking Notes/Capturing State

When you need to document findings from Slack:

# Take annotated screenshot (shows element numbers)
agent-browser screenshot --annotate slack-state.png

# Take full-page screenshot
agent-browser screenshot --full slack-full.png

# Get current URL for reference
agent-browser get url

# Get page title
agent-browser get title

Understanding Slack's sidebar helps you navigate efficiently:

- Threads
- Huddles
- Drafts & sent
- Directories
- [Section Headers - External connections, Starred, Channels, etc.]
  - [Channels listed as treeitems]
- Direct Messages
  - [DMs listed]
- Apps
  - [App shortcuts]
- [More unreads] button (toggles unread channels list)

Key refs to look for:

@e12 - Home tab (usually)
@e13 - DMs tab
@e14 - Activity tab
@e5 - Search button
@e21 - More unreads button (varies by session)

Tabs in Slack

After clicking on a channel, you'll see tabs:

Messages - Channel conversation
Files - Shared files
Pins - Pinned messages
Add canvas - Collaborative canvas
Other tabs depending on workspace setup

Click tab refs to switch views and get different information.

Extracting Data from Slack

Get Text Content

# Get a message or element's text
agent-browser get text @e_message_ref

Parse Accessibility Tree

# Full snapshot as JSON for programmatic parsing
agent-browser snapshot --json > output.json

# Look for:
# - Channel names (name field in treeitem)
# - Message content (in listitem/document elements)
# - User names (button elements with user info)
# - Timestamps (link elements with time info)

Count Unreads

# After expanding unreads section:
agent-browser snapshot -i | grep -c "treeitem"
# Each treeitem with a channel name in the unreads section is one unread

Best Practices

Connect to existing sessions: Use agent-browser connect 9222 if Slack is already open. This is faster than opening a new browser.
Take snapshots before clicking: Always snapshot -i to identify refs before clicking buttons.
Re-snapshot after navigation: After navigating to a new channel or section, take a fresh snapshot to find new refs.
Use JSON snapshots for parsing: When you need to extract structured data, use snapshot --json for machine-readable output.
Pace interactions: Add sleep 1 between rapid interactions to let the UI update.
Check accessibility tree: The accessibility tree shows what screen readers (and your automation) can see. If an element isn't in the snapshot, it may be hidden or require scrolling.
Scroll in sidebar: Use agent-browser scroll down 300 --selector ".p-sidebar" to scroll within the Slack sidebar if channel list is long.

Limitations

Cannot access Slack API: This uses browser automation, not the Slack API. No OAuth, webhooks, or bot tokens needed.
Session-specific: Screenshots and snapshots are tied to the current browser session.
Rate limiting: Slack may rate-limit rapid interactions. Add delays between commands if needed.
Workspace-specific: You interact with your own workspace -- no cross-workspace automation.

Debugging

Check console for errors

agent-browser console
agent-browser errors

Get current page state

agent-browser get url
agent-browser get title
agent-browser screenshot page-state.png

Example: Full Unread Check

#!/bin/bash

# Connect to Slack
agent-browser connect 9222

# Take initial snapshot
echo "=== Checking Slack unreads ==="
agent-browser snapshot -i > snapshot.txt

# Check Activity tab for unreads
agent-browser click @e14  # Activity tab
agent-browser wait 1000
agent-browser screenshot activity.png
ACTIVITY_RESULT=$(agent-browser get text @e_main_area)
echo "Activity: $ACTIVITY_RESULT"

# Check DMs
agent-browser click @e13  # DMs tab
agent-browser wait 1000
agent-browser screenshot dms.png

# Check unread channels in sidebar
agent-browser click @e21  # More unreads button
agent-browser wait 500
agent-browser snapshot -i > unreads-expanded.txt
agent-browser screenshot unreads.png

# Summary
echo "=== Summary ==="
echo "See activity.png, dms.png, and unreads.png for full details"

References

Slack docs: https://slack.com/help
Web experience: https://app.slack.com
Keyboard shortcuts: Type ? in Slack for shortcut list

Upstream

Browser Automation with agent-browser

The CLI uses Chrome/Chromium via CDP directly. Install via npm i -g agent-browser, brew install agent-browser, or cargo install agent-browser. Run agent-browser install to download Chrome. Existing Chrome, Brave, Playwright, and Puppeteer installations are detected automatically. Run agent-browser upgrade to update to the latest version.

Core Workflow

Every browser automation follows this pattern:

Navigate: agent-browser open <url>
Snapshot: agent-browser snapshot -i (get element refs like @e1, @e2)
Interact: Use refs to click, fill, select
Re-snapshot: After navigation or DOM changes, get fresh refs

agent-browser open https://example.com/form
agent-browser snapshot -i
# Output: @e1 [input type="email"], @e2 [input type="password"], @e3 [button] "Submit"

agent-browser fill @e1 "user@example.com"
agent-browser fill @e2 "password123"
agent-browser click @e3
agent-browser wait --load networkidle
agent-browser snapshot -i  # Check result

Command Chaining

Commands can be chained with && in a single shell invocation. The browser persists between commands via a background daemon, so chaining is safe and more efficient than separate calls.

# Chain open + wait + snapshot in one call
agent-browser open https://example.com && agent-browser wait --load networkidle && agent-browser snapshot -i

# Chain multiple interactions
agent-browser fill @e1 "user@example.com" && agent-browser fill @e2 "password123" && agent-browser click @e3

# Navigate and capture
agent-browser open https://example.com && agent-browser wait --load networkidle && agent-browser screenshot page.png

When to chain: Use && when you don't need to read the output of an intermediate command before proceeding (e.g., open + wait + screenshot). Run commands separately when you need to parse the output first (e.g., snapshot to discover refs, then interact using those refs).

Handling Authentication

When automating a site that requires login, choose the approach that fits:

Option 1: Import auth from the user's browser (fastest for one-off tasks)

# Connect to the user's running Chrome (they're already logged in)
agent-browser --auto-connect state save ./auth.json
# Use that auth state
agent-browser --state ./auth.json open https://app.example.com/dashboard

State files contain session tokens in plaintext -- add to .gitignore and delete when no longer needed. Set AGENT_BROWSER_ENCRYPTION_KEY for encryption at rest.

Option 2: Persistent profile (simplest for recurring tasks)

# First run: login manually or via automation
agent-browser --profile ~/.myapp open https://app.example.com/login
# ... fill credentials, submit ...

# All future runs: already authenticated
agent-browser --profile ~/.myapp open https://app.example.com/dashboard

Option 3: Session name (auto-save/restore cookies + localStorage)

agent-browser --session-name myapp open https://app.example.com/login
# ... login flow ...
agent-browser close  # State auto-saved

# Next time: state auto-restored
agent-browser --session-name myapp open https://app.example.com/dashboard

Option 4: Auth vault (credentials stored encrypted, login by name)

echo "$PASSWORD" | agent-browser auth save myapp --url https://app.example.com/login --username user --password-stdin
agent-browser auth login myapp

auth login navigates with load and then waits for login form selectors to appear before filling/clicking, which is more reliable on delayed SPA login screens.

Option 5: State file (manual save/load)

# After logging in:
agent-browser state save ./auth.json
# In a future session:
agent-browser state load ./auth.json
agent-browser open https://app.example.com/dashboard

See references/authentication.md for OAuth, 2FA, cookie-based auth, and token refresh patterns.

Essential Commands

# Navigation
agent-browser open <url>              # Navigate (aliases: goto, navigate)
agent-browser close                   # Close browser
agent-browser close --all             # Close all active sessions

# Snapshot
agent-browser snapshot -i             # Interactive elements with refs (recommended)
agent-browser snapshot -s "#selector" # Scope to CSS selector

# Interaction (use @refs from snapshot)
agent-browser click @e1               # Click element
agent-browser click @e1 --new-tab     # Click and open in new tab
agent-browser fill @e2 "text"         # Clear and type text
agent-browser type @e2 "text"         # Type without clearing
agent-browser select @e1 "option"     # Select dropdown option
agent-browser check @e1               # Check checkbox
agent-browser press Enter             # Press key
agent-browser keyboard type "text"    # Type at current focus (no selector)
agent-browser keyboard inserttext "text"  # Insert without key events
agent-browser scroll down 500         # Scroll page
agent-browser scroll down 500 --selector "div.content"  # Scroll within a specific container

# Get information
agent-browser get text @e1            # Get element text
agent-browser get url                 # Get current URL
agent-browser get title               # Get page title
agent-browser get cdp-url             # Get CDP WebSocket URL

# Wait
agent-browser wait @e1                # Wait for element
agent-browser wait --load networkidle # Wait for network idle
agent-browser wait --url "**/page"    # Wait for URL pattern
agent-browser wait 2000               # Wait milliseconds
agent-browser wait --text "Welcome"    # Wait for text to appear (substring match)
agent-browser wait --fn "!document.body.innerText.includes('Loading...')"  # Wait for text to disappear
agent-browser wait "#spinner" --state hidden  # Wait for element to disappear

# Downloads
agent-browser download @e1 ./file.pdf          # Click element to trigger download
agent-browser wait --download ./output.zip     # Wait for any download to complete
agent-browser --download-path ./downloads open <url>  # Set default download directory

# Network
agent-browser network requests                 # Inspect tracked requests
agent-browser network requests --type xhr,fetch  # Filter by resource type
agent-browser network requests --method POST   # Filter by HTTP method
agent-browser network requests --status 2xx    # Filter by status (200, 2xx, 400-499)
agent-browser network request <requestId>      # View full request/response detail
agent-browser network route "**/api/*" --abort  # Block matching requests
agent-browser network har start                # Start HAR recording
agent-browser network har stop ./capture.har   # Stop and save HAR file

# Viewport & Device Emulation
agent-browser set viewport 1920 1080          # Set viewport size (default: 1280x720)
agent-browser set viewport 1920 1080 2        # 2x retina (same CSS size, higher res screenshots)
agent-browser set device "iPhone 14"          # Emulate device (viewport + user agent)

# Capture
agent-browser screenshot              # Screenshot to temp dir
agent-browser screenshot --full       # Full page screenshot
agent-browser screenshot --annotate   # Annotated screenshot with numbered element labels
agent-browser screenshot --screenshot-dir ./shots  # Save to custom directory
agent-browser screenshot --screenshot-format jpeg --screenshot-quality 80
agent-browser pdf output.pdf          # Save as PDF

# Live preview / streaming
agent-browser stream enable           # Start runtime WebSocket streaming on an auto-selected port
agent-browser stream enable --port 9223  # Bind a specific localhost port
agent-browser stream status           # Inspect enabled state, port, connection, and screencasting
agent-browser stream disable          # Stop runtime streaming and remove the .stream metadata file

# Clipboard
agent-browser clipboard read                      # Read text from clipboard
agent-browser clipboard write "Hello, World!"     # Write text to clipboard
agent-browser clipboard copy                      # Copy current selection
agent-browser clipboard paste                     # Paste from clipboard

# Dialogs (alert, confirm, prompt, beforeunload)
# By default, alert and beforeunload dialogs are auto-accepted so they never block the agent.
# confirm and prompt dialogs still require explicit handling.
# Use --no-auto-dialog (or AGENT_BROWSER_NO_AUTO_DIALOG=1) to disable automatic handling.
agent-browser dialog accept              # Accept dialog
agent-browser dialog accept "my input"   # Accept prompt dialog with text
agent-browser dialog dismiss             # Dismiss/cancel dialog
agent-browser dialog status              # Check if a dialog is currently open

# Diff (compare page states)
agent-browser diff snapshot                          # Compare current vs last snapshot
agent-browser diff snapshot --baseline before.txt    # Compare current vs saved file
agent-browser diff screenshot --baseline before.png  # Visual pixel diff
agent-browser diff url <url1> <url2>                 # Compare two pages
agent-browser diff url <url1> <url2> --wait-until networkidle  # Custom wait strategy
agent-browser diff url <url1> <url2> --selector "#main"  # Scope to element

Streaming

Every session automatically starts a WebSocket stream server on an OS-assigned port. Use agent-browser stream status to see the bound port and connection state. Use stream disable to tear it down, and stream enable --port <port> to re-enable on a specific port.

Batch Execution

Execute multiple commands in a single invocation by piping a JSON array of string arrays to batch. This avoids per-command process startup overhead when running multi-step workflows.

echo '[
  ["open", "https://example.com"],
  ["snapshot", "-i"],
  ["click", "@e1"],
  ["screenshot", "result.png"]
]' | agent-browser batch --json

# Stop on first error
agent-browser batch --bail < commands.json

Use batch when you have a known sequence of commands that don't depend on intermediate output. Use separate commands or && chaining when you need to parse output between steps (e.g., snapshot to discover refs, then interact).

Common Patterns

Form Submission

agent-browser open https://example.com/signup
agent-browser snapshot -i
agent-browser fill @e1 "Jane Doe"
agent-browser fill @e2 "jane@example.com"
agent-browser select @e3 "California"
agent-browser check @e4
agent-browser click @e5
agent-browser wait --load networkidle

Authentication with Auth Vault (Recommended)

# Save credentials once (encrypted with AGENT_BROWSER_ENCRYPTION_KEY)
# Recommended: pipe password via stdin to avoid shell history exposure
echo "pass" | agent-browser auth save github --url https://github.com/login --username user --password-stdin

# Login using saved profile (LLM never sees password)
agent-browser auth login github

# List/show/delete profiles
agent-browser auth list
agent-browser auth show github
agent-browser auth delete github

auth login waits for username/password/submit selectors before interacting, with a timeout tied to the default action timeout.

Authentication with State Persistence

# Login once and save state
agent-browser open https://app.example.com/login
agent-browser snapshot -i
agent-browser fill @e1 "$USERNAME"
agent-browser fill @e2 "$PASSWORD"
agent-browser click @e3
agent-browser wait --url "**/dashboard"
agent-browser state save auth.json

# Reuse in future sessions
agent-browser state load auth.json
agent-browser open https://app.example.com/dashboard

Session Persistence

# Auto-save/restore cookies and localStorage across browser restarts
agent-browser --session-name myapp open https://app.example.com/login
# ... login flow ...
agent-browser close  # State auto-saved to ~/.agent-browser/sessions/

# Next time, state is auto-loaded
agent-browser --session-name myapp open https://app.example.com/dashboard

# Encrypt state at rest
export AGENT_BROWSER_ENCRYPTION_KEY=$(openssl rand -hex 32)
agent-browser --session-name secure open https://app.example.com

# Manage saved states
agent-browser state list
agent-browser state show myapp-default.json
agent-browser state clear myapp
agent-browser state clean --older-than 7

Working with Iframes

Iframe content is automatically inlined in snapshots. Refs inside iframes carry frame context, so you can interact with them directly.

agent-browser open https://example.com/checkout
agent-browser snapshot -i
# @e1 [heading] "Checkout"
# @e2 [Iframe] "payment-frame"
#   @e3 [input] "Card number"
#   @e4 [input] "Expiry"
#   @e5 [button] "Pay"

# Interact directly — no frame switch needed
agent-browser fill @e3 "4111111111111111"
agent-browser fill @e4 "12/28"
agent-browser click @e5

# To scope a snapshot to one iframe:
agent-browser frame @e2
agent-browser snapshot -i         # Only iframe content
agent-browser frame main          # Return to main frame

Data Extraction

agent-browser open https://example.com/products
agent-browser snapshot -i
agent-browser get text @e5           # Get specific element text
agent-browser get text body > page.txt  # Get all page text

# JSON output for parsing
agent-browser snapshot -i --json
agent-browser get text @e1 --json

Parallel Sessions

agent-browser --session site1 open https://site-a.com
agent-browser --session site2 open https://site-b.com

agent-browser --session site1 snapshot -i
agent-browser --session site2 snapshot -i

agent-browser session list

Connect to Existing Chrome

# Auto-discover running Chrome with remote debugging enabled
agent-browser --auto-connect open https://example.com
agent-browser --auto-connect snapshot

# Or with explicit CDP port
agent-browser --cdp 9222 snapshot

Auto-connect discovers Chrome via DevToolsActivePort, common debugging ports (9222, 9229), and falls back to a direct WebSocket connection if HTTP-based CDP discovery fails.

Color Scheme (Dark Mode)

# Persistent dark mode via flag (applies to all pages and new tabs)
agent-browser --color-scheme dark open https://example.com

# Or via environment variable
AGENT_BROWSER_COLOR_SCHEME=dark agent-browser open https://example.com

# Or set during session (persists for subsequent commands)
agent-browser set media dark

Viewport & Responsive Testing

# Set a custom viewport size (default is 1280x720)
agent-browser set viewport 1920 1080
agent-browser screenshot desktop.png

# Test mobile-width layout
agent-browser set viewport 375 812
agent-browser screenshot mobile.png

# Retina/HiDPI: same CSS layout at 2x pixel density
# Screenshots stay at logical viewport size, but content renders at higher DPI
agent-browser set viewport 1920 1080 2
agent-browser screenshot retina.png

# Device emulation (sets viewport + user agent in one step)
agent-browser set device "iPhone 14"
agent-browser screenshot device.png

The scale parameter (3rd argument) sets window.devicePixelRatio without changing CSS layout. Use it when testing retina rendering or capturing higher-resolution screenshots.

Visual Browser (Debugging)

agent-browser --headed open https://example.com
agent-browser highlight @e1          # Highlight element
agent-browser inspect                # Open Chrome DevTools for the active page
agent-browser record start demo.webm # Record session
agent-browser profiler start         # Start Chrome DevTools profiling
agent-browser profiler stop trace.json # Stop and save profile (path optional)

Use AGENT_BROWSER_HEADED=1 to enable headed mode via environment variable. Browser extensions work in both headed and headless mode.

Local Files (PDFs, HTML)

# Open local files with file:// URLs
agent-browser --allow-file-access open file:///path/to/document.pdf
agent-browser --allow-file-access open file:///path/to/page.html
agent-browser screenshot output.png

iOS Simulator (Mobile Safari)

# List available iOS simulators
agent-browser device list

# Launch Safari on a specific device
agent-browser -p ios --device "iPhone 16 Pro" open https://example.com

# Same workflow as desktop - snapshot, interact, re-snapshot
agent-browser -p ios snapshot -i
agent-browser -p ios tap @e1          # Tap (alias for click)
agent-browser -p ios fill @e2 "text"
agent-browser -p ios swipe up         # Mobile-specific gesture

# Take screenshot
agent-browser -p ios screenshot mobile.png

# Close session (shuts down simulator)
agent-browser -p ios close

Requirements: macOS with Xcode, Appium (npm install -g appium && appium driver install xcuitest)

Real devices: Works with physical iOS devices if pre-configured. Use --device "<UDID>" where UDID is from xcrun xctrace list devices.

Security

All security features are opt-in. By default, agent-browser imposes no restrictions on navigation, actions, or output.

Content Boundaries (Recommended for AI Agents)

Enable --content-boundaries to wrap page-sourced output in markers that help LLMs distinguish tool output from untrusted page content:

export AGENT_BROWSER_CONTENT_BOUNDARIES=1
agent-browser snapshot
# Output:
# --- AGENT_BROWSER_PAGE_CONTENT nonce=<hex> origin=https://example.com ---
# [accessibility tree]
# --- END_AGENT_BROWSER_PAGE_CONTENT nonce=<hex> ---

Domain Allowlist

Restrict navigation to trusted domains. Wildcards like *.example.com also match the bare domain example.com. Sub-resource requests, WebSocket, and EventSource connections to non-allowed domains are also blocked. Include CDN domains your target pages depend on:

export AGENT_BROWSER_ALLOWED_DOMAINS="example.com,*.example.com"
agent-browser open https://example.com        # OK
agent-browser open https://malicious.com       # Blocked

Action Policy

Use a policy file to gate destructive actions:

export AGENT_BROWSER_ACTION_POLICY=./policy.json

Example policy.json:

{ "default": "deny", "allow": ["navigate", "snapshot", "click", "scroll", "wait", "get"] }

Auth vault operations (auth login, etc.) bypass action policy but domain allowlist still applies.

Output Limits

Prevent context flooding from large pages:

export AGENT_BROWSER_MAX_OUTPUT=50000

Diffing (Verifying Changes)

Use diff snapshot after performing an action to verify it had the intended effect. This compares the current accessibility tree against the last snapshot taken in the session.

# Typical workflow: snapshot -> action -> diff
agent-browser snapshot -i          # Take baseline snapshot
agent-browser click @e2            # Perform action
agent-browser diff snapshot        # See what changed (auto-compares to last snapshot)

For visual regression testing or monitoring:

# Save a baseline screenshot, then compare later
agent-browser screenshot baseline.png
# ... time passes or changes are made ...
agent-browser diff screenshot --baseline baseline.png

# Compare staging vs production
agent-browser diff url https://staging.example.com https://prod.example.com --screenshot

diff snapshot output uses + for additions and - for removals, similar to git diff. diff screenshot produces a diff image with changed pixels highlighted in red, plus a mismatch percentage.

Timeouts and Slow Pages

The default timeout is 25 seconds. This can be overridden with the AGENT_BROWSER_DEFAULT_TIMEOUT environment variable (value in milliseconds). For slow websites or large pages, use explicit waits instead of relying on the default timeout:

# Wait for network activity to settle (best for slow pages)
agent-browser wait --load networkidle

# Wait for a specific element to appear
agent-browser wait "#content"
agent-browser wait @e1

# Wait for a specific URL pattern (useful after redirects)
agent-browser wait --url "**/dashboard"

# Wait for a JavaScript condition
agent-browser wait --fn "document.readyState === 'complete'"

# Wait a fixed duration (milliseconds) as a last resort
agent-browser wait 5000

When dealing with consistently slow websites, use wait --load networkidle after open to ensure the page is fully loaded before taking a snapshot. If a specific element is slow to render, wait for it directly with wait <selector> or wait @ref.

JavaScript Dialogs (alert / confirm / prompt)

When a page opens a JavaScript dialog (alert(), confirm(), or prompt()), it blocks all other browser commands (snapshot, screenshot, click, etc.) until the dialog is dismissed. If commands start timing out unexpectedly, check for a pending dialog:

# Check if a dialog is blocking
agent-browser dialog status

# Accept the dialog (dismiss the alert / click OK)
agent-browser dialog accept

# Accept a prompt dialog with input text
agent-browser dialog accept "my input"

# Dismiss the dialog (click Cancel)
agent-browser dialog dismiss

When a dialog is pending, all command responses include a warning field indicating the dialog type and message. In --json mode this appears as a "warning" key in the response object.

Session Management and Cleanup

When running multiple agents or automations concurrently, always use named sessions to avoid conflicts:

# Each agent gets its own isolated session
agent-browser --session agent1 open site-a.com
agent-browser --session agent2 open site-b.com

# Check active sessions
agent-browser session list

Always close your browser session when done to avoid leaked processes:

agent-browser close                    # Close default session
agent-browser --session agent1 close   # Close specific session
agent-browser close --all              # Close all active sessions

If a previous session was not closed properly, the daemon may still be running. Use agent-browser close to clean it up, or agent-browser close --all to shut down every session at once.

To auto-shutdown the daemon after a period of inactivity (useful for ephemeral/CI environments):

AGENT_BROWSER_IDLE_TIMEOUT_MS=60000 agent-browser open example.com

Ref Lifecycle (Important)

Refs (@e1, @e2, etc.) are invalidated when the page changes. Always re-snapshot after:

Clicking links or buttons that navigate
Form submissions
Dynamic content loading (dropdowns, modals)

agent-browser click @e5              # Navigates to new page
agent-browser snapshot -i            # MUST re-snapshot
agent-browser click @e1              # Use new refs

Annotated Screenshots (Vision Mode)

Use --annotate to take a screenshot with numbered labels overlaid on interactive elements. Each label [N] maps to ref @eN. This also caches refs, so you can interact with elements immediately without a separate snapshot.

agent-browser screenshot --annotate
# Output includes the image path and a legend:
#   [1] @e1 button "Submit"
#   [2] @e2 link "Home"
#   [3] @e3 textbox "Email"
agent-browser click @e2              # Click using ref from annotated screenshot

Use annotated screenshots when:

The page has unlabeled icon buttons or visual-only elements
You need to verify visual layout or styling
Canvas or chart elements are present (invisible to text snapshots)
You need spatial reasoning about element positions

Semantic Locators (Alternative to Refs)

When refs are unavailable or unreliable, use semantic locators:

agent-browser find text "Sign In" click
agent-browser find label "Email" fill "user@test.com"
agent-browser find role button click --name "Submit"
agent-browser find placeholder "Search" type "query"
agent-browser find testid "submit-btn" click

JavaScript Evaluation (eval)

Use eval to run JavaScript in the browser context. Shell quoting can corrupt complex expressions -- use --stdin or -b to avoid issues.

# Simple expressions work with regular quoting
agent-browser eval 'document.title'
agent-browser eval 'document.querySelectorAll("img").length'

# Complex JS: use --stdin with heredoc (RECOMMENDED)
agent-browser eval --stdin <<'EVALEOF'
JSON.stringify(
  Array.from(document.querySelectorAll("img"))
    .filter(i => !i.alt)
    .map(i => ({ src: i.src.split("/").pop(), width: i.width }))
)
EVALEOF

# Alternative: base64 encoding (avoids all shell escaping issues)
agent-browser eval -b "$(echo -n 'Array.from(document.querySelectorAll("a")).map(a => a.href)' | base64)"

Why this matters: When the shell processes your command, inner double quotes, ! characters (history expansion), backticks, and $() can all corrupt the JavaScript before it reaches agent-browser. The --stdin and -b flags bypass shell interpretation entirely.

Rules of thumb:

Single-line, no nested quotes -> regular eval 'expression' with single quotes is fine
Nested quotes, arrow functions, template literals, or multiline -> use eval --stdin <<'EVALEOF'
Programmatic/generated scripts -> use eval -b with base64

Configuration File

Create agent-browser.json in the project root for persistent settings:

{
  "headed": true,
  "proxy": "http://localhost:8080",
  "profile": "./browser-data"
}

Priority (lowest to highest): ~/.agent-browser/config.json < ./agent-browser.json < env vars < CLI flags. Use --config <path> or AGENT_BROWSER_CONFIG env var for a custom config file (exits with error if missing/invalid). All CLI options map to camelCase keys (e.g., --executable-path -> "executablePath"). Boolean flags accept true/false values (e.g., --headed false overrides config). Extensions from user and project configs are merged, not replaced.

Deep-Dive Documentation

Reference	When to Use
references/commands.md	Full command reference with all options
references/snapshot-refs.md	Ref lifecycle, invalidation rules, troubleshooting
references/session-management.md	Parallel sessions, state persistence, concurrent scraping
references/authentication.md	Login flows, OAuth, 2FA handling, state reuse
references/video-recording.md	Recording workflows for debugging and documentation
references/profiling.md	Chrome DevTools profiling for performance analysis
references/proxy-support.md	Proxy configuration, geo-testing, rotating proxies

Browser Engine Selection

Use --engine to choose a local browser engine. The default is chrome.

# Use Lightpanda (fast headless browser, requires separate install)
agent-browser --engine lightpanda open example.com

# Via environment variable
export AGENT_BROWSER_ENGINE=lightpanda
agent-browser open example.com

# With custom binary path
agent-browser --engine lightpanda --executable-path /path/to/lightpanda open example.com

Supported engines:

chrome (default) -- Chrome/Chromium via CDP
lightpanda -- Lightpanda headless browser via CDP (10x faster, 10x less memory than Chrome)

Lightpanda does not support --extension, --profile, --state, or --allow-file-access. Install Lightpanda from https://lightpanda.io/docs/open-source/installation.

Observability Dashboard

The dashboard is a standalone background server that shows live browser viewports, command activity, and console output for all sessions.

# Install the dashboard once
agent-browser dashboard install

# Start the dashboard server (background, port 4848)
agent-browser dashboard start

# All sessions are automatically visible in the dashboard
agent-browser open example.com

# Stop the dashboard
agent-browser dashboard stop

The dashboard runs independently of browser sessions on port 4848 (configurable with --port). All sessions automatically stream to the dashboard. Sessions can also be created from the dashboard UI with local engines or cloud providers.

Ready-to-Use Templates

Template	Description
templates/form-automation.sh	Form filling with validation
templates/authenticated-session.sh	Login once, reuse state
templates/capture-workflow.sh	Content extraction with screenshots

./templates/form-automation.sh https://example.com/form
./templates/authenticated-session.sh https://app.example.com/login
./templates/capture-workflow.sh https://example.com ./output