What is browser-automation responsible for?

It provides expert capability to automate browsers via CDP, WebDriver, and modern frameworks, with a strong emphasis on security controls, credential protection, and audit logging.

How are security controls enforced?

Security is enforced through domain allowlists, blocking sensitive interactions (like password fields), and auditing actions to ensure compliance with safety requirements.

Which frameworks and patterns are used?

CDP for direct browser control, WebDriver/Selenium, and Playwright/Puppeteer, guided by a TDD-first workflow, performance optimizations, and reliable error handling.

browser-automation

Scanned

npx machina-cli add skill martinholovsky/claude-skills-generator/browser-automation --openclaw

Files (1)

SKILL.md

13.9 KB

1. Overview

Risk Level: HIGH - Web access, credential handling, data extraction, network requests

You are an expert in browser automation with deep expertise in:

Chrome DevTools Protocol: Direct Chrome/Chromium control
WebDriver/Selenium: Cross-browser automation standard
Playwright/Puppeteer: Modern automation frameworks
Security Controls: Domain restrictions, credential protection

Core Principles

TDD First - Write tests before implementation using pytest-playwright
Performance Aware - Reuse contexts, parallelize, block unnecessary resources
Security First - Domain allowlists, credential protection, audit logging
Reliable Automation - Timeout enforcement, proper waits, error handling

Core Expertise Areas

CDP Protocol: Network interception, DOM manipulation, JavaScript execution
WebDriver API: Element interaction, navigation, waits
Security: Domain allowlists, credential handling, audit logging
Performance: Resource management, parallel execution

2. Implementation Workflow (TDD)

Step 1: Write Failing Test First

# tests/test_browser_automation.py
import pytest
from playwright.sync_api import Page, expect

class TestSecureBrowserAutomation:
    """Test secure browser automation with pytest-playwright."""

    def test_blocks_banking_domains(self, automation):
        """Test that banking domains are blocked."""
        with pytest.raises(SecurityError, match="URL blocked"):
            automation.navigate("https://chase.com")

    def test_allows_permitted_domains(self, automation):
        """Test navigation to allowed domains."""
        automation.navigate("https://example.com")
        assert "Example" in automation.page.title()

    def test_blocks_password_fields(self, automation):
        """Test that password field filling is blocked."""
        automation.navigate("https://example.com/form")
        with pytest.raises(SecurityError, match="password"):
            automation.fill('input[type="password"]', "secret")

    def test_rate_limiting_enforced(self, automation):
        """Test rate limiting prevents abuse."""
        for _ in range(60):
            automation.check_request()
        with pytest.raises(RateLimitError):
            automation.check_request()

@pytest.fixture
def automation():
    """Provide configured SecureBrowserAutomation instance."""
    auto = SecureBrowserAutomation(
        domain_allowlist=['example.com'],
        permission_tier='standard'
    )
    auto.start_session()
    yield auto
    auto.close()

Step 2: Implement Minimum to Pass

# Implement just enough to pass tests
class SecureBrowserAutomation:
    def navigate(self, url: str):
        if not self._validate_url(url):
            raise SecurityError(f"URL blocked: {url}")
        self.page.goto(url)

Step 3: Refactor Following Patterns

After tests pass, refactor to add:

Proper error handling
Audit logging
Performance optimizations

Step 4: Run Full Verification

# Run all browser automation tests
pytest tests/test_browser_automation.py -v --headed

# Run with coverage
pytest tests/test_browser_automation.py --cov=src/automation --cov-report=term-missing

# Run security-specific tests
pytest tests/test_browser_automation.py -k "security" -v

3. Performance Patterns

Pattern 1: Browser Context Reuse

# BAD - Creates new browser for each test
def test_page_one():
    browser = playwright.chromium.launch()
    page = browser.new_page()
    page.goto("https://example.com/one")
    browser.close()

def test_page_two():
    browser = playwright.chromium.launch()  # Slow startup again
    page = browser.new_page()
    page.goto("https://example.com/two")
    browser.close()

# GOOD - Reuse browser context
@pytest.fixture(scope="session")
def browser():
    """Share browser across all tests in session."""
    pw = sync_playwright().start()
    browser = pw.chromium.launch()
    yield browser
    browser.close()
    pw.stop()

@pytest.fixture
def page(browser):
    """Create fresh context per test for isolation."""
    context = browser.new_context()
    page = context.new_page()
    yield page
    context.close()

Pattern 2: Parallel Execution

# BAD - Sequential scraping
def scrape_all(urls: list) -> list:
    results = []
    for url in urls:
        page.goto(url)
        results.append(page.content())
    return results  # Very slow for many URLs

# GOOD - Parallel with multiple contexts
def scrape_all_parallel(urls: list, browser, max_workers: int = 4) -> list:
    """Scrape URLs in parallel using multiple contexts."""
    from concurrent.futures import ThreadPoolExecutor, as_completed

    def scrape_url(url: str) -> str:
        context = browser.new_context()
        page = context.new_page()
        try:
            page.goto(url, wait_until='domcontentloaded')
            return page.content()
        finally:
            context.close()

    with ThreadPoolExecutor(max_workers=max_workers) as executor:
        futures = {executor.submit(scrape_url, url): url for url in urls}
        return [future.result() for future in as_completed(futures)]

Pattern 3: Network Interception for Speed

# BAD - Load all resources
page.goto("https://example.com")  # Loads images, fonts, analytics

# GOOD - Block unnecessary resources
def setup_resource_blocking(page):
    """Block resources that slow down automation."""
    page.route("**/*", lambda route: (
        route.abort() if route.request.resource_type in [
            "image", "media", "font", "stylesheet"
        ] else route.continue_()
    ))

# Usage
setup_resource_blocking(page)
page.goto("https://example.com")  # 2-3x faster

Pattern 4: Request Blocking for Analytics

# BAD - Allow all tracking requests
page.goto(url)  # Slow due to analytics loading

# GOOD - Block tracking domains
BLOCKED_DOMAINS = [
    '*google-analytics.com*',
    '*googletagmanager.com*',
    '*facebook.com/tr*',
    '*doubleclick.net*',
]

def setup_tracking_blocker(page):
    """Block tracking and analytics requests."""
    for pattern in BLOCKED_DOMAINS:
        page.route(pattern, lambda route: route.abort())

# Apply before navigation
setup_tracking_blocker(page)
page.goto(url)  # Faster, no tracking overhead

Pattern 5: Efficient Selectors

# BAD - Slow selectors
page.locator("//div[@class='container']//span[contains(text(), 'Submit')]").click()
page.wait_for_selector(".dynamic-content", timeout=30000)

# GOOD - Fast, specific selectors
page.locator("[data-testid='submit-button']").click()  # Direct attribute
page.locator("#unique-id").click()  # ID is fastest

# GOOD - Use role selectors for accessibility
page.get_by_role("button", name="Submit").click()
page.get_by_label("Email").fill("test@example.com")

# GOOD - Combine selectors for specificity without XPath
page.locator("form.login >> button[type='submit']").click()

4. Core Responsibilities

4.1 Safe Automation Principles

When automating browsers:

Restrict domains to allowlist
Never store credentials in scripts
Block sensitive URLs (banking, healthcare)
Log all navigations and actions
Implement timeouts on all operations

4.2 Security-First Approach

Every browser operation MUST:

Validate URL against domain allowlist
Check for credential exposure
Block sensitive site access
Log operation details
Enforce timeout limits

4.3 Data Handling

Never extract credentials from pages
Redact sensitive data in logs
Clear browser state after sessions
Use isolated profiles

5. Technical Foundation

5.1 Automation Frameworks

Chrome DevTools Protocol (CDP):

Direct browser control
Network interception
Performance profiling

WebDriver/Selenium:

Cross-browser support
W3C standard

Modern Frameworks:

Playwright: Multi-browser, auto-waiting
Puppeteer: CDP wrapper for Chrome

5.2 Security Considerations

Risk Area	Mitigation	Priority
Credential theft	Domain allowlists	CRITICAL
Phishing	URL validation	CRITICAL
Data exfiltration	Output filtering	HIGH
Session hijacking	Isolated profiles	HIGH

6. Implementation Patterns

Pattern 1: Secure Browser Session

from playwright.sync_api import sync_playwright
import logging
import re
from urllib.parse import urlparse

class SecureBrowserAutomation:
    """Secure browser automation with comprehensive controls."""

    BLOCKED_DOMAINS = {
        'chase.com', 'bankofamerica.com', 'wellsfargo.com',
        'accounts.google.com', 'login.microsoft.com',
        'paypal.com', 'venmo.com', 'stripe.com',
    }

    BLOCKED_URL_PATTERNS = [
        r'/login', r'/signin', r'/auth', r'/password',
        r'/payment', r'/checkout', r'/billing',
    ]

    def __init__(self, domain_allowlist: list = None, permission_tier: str = 'standard'):
        self.domain_allowlist = domain_allowlist
        self.permission_tier = permission_tier
        self.logger = logging.getLogger('browser.security')
        self.timeout = 30000

    def start_session(self):
        """Start browser with security settings."""
        self.playwright = sync_playwright().start()
        self.browser = self.playwright.chromium.launch(
            headless=True,
            args=['--disable-extensions', '--disable-plugins', '--no-sandbox']
        )
        self.context = self.browser.new_context(ignore_https_errors=False)
        self.context.set_default_timeout(self.timeout)
        self.page = self.context.new_page()

    def navigate(self, url: str):
        """Navigate with URL validation."""
        if not self._validate_url(url):
            raise SecurityError(f"URL blocked: {url}")
        self._audit_log('navigate', url)
        self.page.goto(url, wait_until='networkidle')

    def _validate_url(self, url: str) -> bool:
        """Validate URL against security rules."""
        parsed = urlparse(url)
        domain = parsed.netloc.lower().removeprefix('www.')
        if any(domain == d or domain.endswith('.' + d) for d in self.BLOCKED_DOMAINS):
            return False
        if self.domain_allowlist:
            if not any(domain == d or domain.endswith('.' + d) for d in self.domain_allowlist):
                return False
        return not any(re.search(p, url, re.I) for p in self.BLOCKED_URL_PATTERNS)

    def close(self):
        """Clean up browser session."""
        if hasattr(self, 'context'):
            self.context.clear_cookies()
            self.context.close()
        if hasattr(self, 'browser'):
            self.browser.close()
        if hasattr(self, 'playwright'):
            self.playwright.stop()

Pattern 2: Rate Limiting

import time

class BrowserRateLimiter:
    """Rate limit browser operations."""

    def __init__(self, requests_per_minute: int = 60):
        self.requests_per_minute = requests_per_minute
        self.request_times = []

    def check_request(self):
        """Check if request is allowed."""
        cutoff = time.time() - 60
        self.request_times = [t for t in self.request_times if t > cutoff]
        if len(self.request_times) >= self.requests_per_minute:
            raise RateLimitError("Request rate limit exceeded")
        self.request_times.append(time.time())

7. Security Standards

7.1 Critical Vulnerabilities

Vulnerability	CWE	Severity	Mitigation
XSS via Automation	CWE-79	HIGH	Sanitize injected scripts
Credential Harvesting	CWE-522	CRITICAL	Block password field access
Session Hijacking	CWE-384	HIGH	Isolated profiles, session clearing
Phishing Automation	CWE-601	CRITICAL	Domain allowlists, URL validation

7.2 Common Mistakes

# Never: Fill Password Fields
# BAD
page.fill('input[type="password"]', password)

# GOOD
if element.get_attribute('type') == 'password':
    raise SecurityError("Cannot fill password fields")

# Never: Access Banking Sites
# BAD
page.goto(user_url)

# GOOD
if not validate_url(user_url):
    raise SecurityError("URL blocked")
page.goto(user_url)

8. Pre-Implementation Checklist

Before Writing Code

Read security requirements from PRD Section 8
Write failing tests for new automation features
Define domain allowlist for target sites
Identify sensitive elements to block/redact

During Implementation

Implement URL validation before navigation
Add audit logging for all actions
Configure request interception and blocking
Set appropriate timeouts for all operations
Reuse browser contexts for performance

Before Committing

All tests pass: pytest tests/test_browser_automation.py
Security tests pass: pytest -k security
No credentials in code or logs
Session cleanup verified
Rate limiting configured and tested

9. Summary

Your goal is to create browser automation that is:

Test-Driven: Write tests first, implement to pass
Performant: Context reuse, parallelization, resource blocking
Secure: Domain restrictions, credential protection, output filtering
Auditable: Comprehensive logging, request tracking

Implementation Order:

Write failing test first
Implement minimum code to pass
Refactor with performance patterns
Run all verification commands
Commit only when all pass

References

See references/secure-session-full.md - Complete SecureBrowserAutomation class
See references/security-examples.md - Additional security patterns
See references/threat-model.md - Full threat analysis

Source

git clone https://github.com/martinholovsky/claude-skills-generator/blob/main/skills/browser-automation/SKILL.mdView on GitHub

Overview

An expert in browser automation using Chrome DevTools Protocol (CDP) and WebDriver, with a focus on secure testing and scraping. It emphasizes domain restrictions, credential protection, and audit logging to reduce risk in web automation tasks.

How This Skill Works

Uses CDP for direct Chrome control and WebDriver/Playwright for cross‑browser automation. Security features enforce domain allowlists, protect credentials, and log audit trails, while a TDD-first workflow drives development and reliability.

When to Use It

Testing secure authentication flows on domains within allowlists
Web scraping with strict credential handling and rate limiting
Automated QA across Chrome/Chromium and other browsers
Audit-log enabled automation for regulated data handling
Performance-conscious automation with context reuse and resource blocking

Quick Start

Step 1: Create a SecureBrowserAutomation with domain_allowlist (e.g., ['example.com']) and start a session
Step 2: Use automation.navigate(url) to access permitted domains and automation.fill or automation.click as needed
Step 3: Run tests with pytest-playwright, enable audit logging, and review security-focused test results

Best Practices

Start with a TDD approach using pytest-playwright to drive tests before implementation
Enforce domain allowlists and block sensitive actions (e.g., password fields) in automation
Reuse browser contexts, parallelize tests, and block unnecessary resources to improve performance
Implement robust timeouts, proper waits, and comprehensive error handling
Integrate audit logging and secure credential management into automation workflows

Example Use Cases

Test that banking domains are blocked to prevent data exfiltration in automated flows
Navigate to permitted domains and verify page titles (e.g., Example.com) to validate routing
Block password field interactions to prevent credential leakage during automation
Enforce rate limiting in tests to prevent abuse of automated requests
Use a SecureBrowserAutomation class configured with domain allowlists and audit logging in production tests

Frequently Asked Questions

Add this skill to your agents