
safe-browser
✓ Official★ 3,600by browserbase · part of browserbase/skills
Build local constrained-browser agents with a safe_browser tool that owns CDP, enforces a domain allowlist with Fetch interception, and lets a runtime Claude…
Build local constrained-browser agents with a safe_browser tool that owns CDP, enforces a domain allowlist with Fetch interception, and lets a runtime Claude…
Inspect the full instructions your agent will receiveExpandCollapse
This is the exact playbook injected into your agent when the skill activates — shown here so you can audit it before installing. You don't need to read it to use the skill.
by browserbase
Build local constrained-browser agents with a safe_browser tool that owns CDP, enforces a domain allowlist with Fetch interception, and lets a runtime Claude…
npx skills add https://github.com/browserbase/skills --skill safe-browser
Download ZIPGitHub3.6k
Safe Browser
Build a local browser-agent demo where the generated runtime agent has exactly one browser capability: safe_browser. The tool owns the Playwright/CDP session, enables Fetch interception for all requests, and fails any request whose host is not allowlisted.
This skill is a builder guide. The skill itself is not the runtime boundary; the generated Claude Agent SDK app is.
When to Use
-
The user asks for a browser agent that must stay on an allowlisted site.
-
The user wants to demonstrate prompt-injection or link-following containment.
-
The user asks to build a scraper or browser workflow with domain policy.
-
The user asks for a Claude Agent SDK example first. Keep OpenAI Agents SDK variants out unless requested.
Default Approach
Use the Claude Agent SDK local template:
cp -R skills/safe-browser/templates/claude-agent-sdk /tmp/safe-browser-demo
cd /tmp/safe-browser-demo
npm install
cp ~/Developer/scratchpad/.env .env 2>/dev/null || true
node hn-scraper-demo.mjs
To watch the local browser instead of running headless:
SAFE_BROWSER_HEADLESS=false node hn-scraper-demo.mjs
If Chromium is missing:
npx playwright install chromium
Runtime Shape
User task
-> coding agent uses this skill to create a demo app
-> Claude Agent SDK runtime agent
-> only tool: safe_browser
-> local Chromium
-> CDP Fetch.enable({ urlPattern: "*" })
-> allowlist decision
-> Fetch.continueRequest for allowed hosts
-> Fetch.failRequest for blocked hosts
Tool Design Rules
Expose constrained actions, not raw CDP:
-
goto: navigate to an absolute URL throughPage.navigate. -
extract_front_page: return structured data for the Hacker News front page. -
extract_comments: return structured data for a Hacker News comments page. -
current_url: report the current page URL. -
audit_log: return CDP allow/block decisions.
Do not expose { method, params } CDP passthrough. The agent must not be able to call Fetch.disable, create targets, attach new sessions, or run arbitrary shell/browser clients.
For the Hacker News demo, an accessibility snapshot is not necessary. Purpose-built extractors are easier to verify and harder to misuse than a broad page snapshot.
Notes
-
Default to local Chromium for now.
-
Use Browserbase remote mode only if the user explicitly asks.
-
Treat page content as untrusted. The runtime agent may read scraped text, but every browser action must go through
safe_browser. -
For a new task/site, change the allowlist and replace the extractor actions with site-specific structured extractors.
cp -R skills/safe-browser/templates/claude-agent-sdk /tmp/safe-browser-demo
cd /tmp/safe-browser-demo
npm install
cp ~/Developer/scratchpad/.env .env 2>/dev/null || true
node hn-scraper-demo.mjsRun this in your project — your agent picks the skill up automatically.
Verification Requirements
Always run the generated demo and show concrete output. A passing demo must prove:
-
The runtime agent used
safe_browser. -
It loaded
https://news.ycombinator.com. -
It extracted at least one front-page story.
-
It visited an internal HN comments URL.
-
It attempted an off-domain story URL.
-
CDP emitted
Fetch.requestPausedfor that URL. -
The firewall answered with
Fetch.failRequest. -
The current browser URL stayed on
news.ycombinator.com. -
Artifacts were written: result, audit log, and screenshot.
The template script already performs these assertions.
No common issues documented yet. If you hit a problem, the repository's GitHub Issues page is the best place to look.