Skill

browser-login

Drive an authentication flow once, sanitize cookies through AIDefence, and vault a reusable cookie handle in browser-cookies for future sessions

npx claudepluginhub akhilyad/deployy --plugin hyrex-browser

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/hyrex-browser:browser-login <login-url> [--vault-name <handle>] [--mfa]

User invocable

Model invocable

Inline context

Default effort

Argument hint<login-url> [--vault-name <handle>] [--mfa]

Tool Access

This skill is limited to the following tools:

mcp__hyrex__browser_openmcp__hyrex__browser_closemcp__hyrex__browser_fillmcp__hyrex__browser_typemcp__hyrex__browser_clickmcp__hyrex__browser_waitmcp__hyrex__browser_evalmcp__hyrex__browser_snapshotmcp__hyrex__aidefence_scanmcp__hyrex__aidefence_has_piiBashReadWrite

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

Authenticate against a target site once, then vault the resulting session credentials so subsequent skills (`browser-extract`, `browser-form-fill`, `browser-test`) can reuse them without re-driving the auth flow. Borrows the pattern from Browserbase's `cookie-sync/SKILL.md` but stores the resulting context in AgentDB rather than on a hosted backend.

SKILL.md

47 lines · ~755 tokens

Similar Skills

receiving-code-review

221.0k

Guides technical evaluation of code review feedback: read fully, restate for understanding, verify against codebase, respond with reasoning or pushback before implementing.

superpowers

Stats

LanguageTypeScript

Parent stars0

MaintenanceGood

Last CommitMay 13, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Stats

Actions

Help us improve

Share bugs, ideas, or general feedback.

Browser Login

Authenticate against a target site once, then vault the resulting session credentials so subsequent skills (browser-extract, browser-form-fill, browser-test) can reuse them without re-driving the auth flow. Borrows the pattern from Browserbase's cookie-sync/SKILL.md but stores the resulting context in AgentDB rather than on a hosted backend.

When to use

Establishing reusable auth for a host the agent will visit repeatedly.

Refreshing a vaulted cookie set whose expiry has passed.

Capturing an MFA-protected session that requires interactive completion.

Steps

Open a recorded session via browser-record.

Drive the auth flow — fill credentials with browser_fill / browser_type. Credentials come from the user or environment; do not read them from .env or paste them into the trajectory args.

Handle MFA (when --mfa): pause for user input or invoke the user's TOTP helper; capture only the resulting redirect, not the code itself.

Capture cookies via browser_eval:

document.cookie  // returns the cookie string for the active document

Or use the Playwright context API where exposed.

AIDefence sanitize:

# Each cookie value passes aidefence_scan to flag raw secrets / high-entropy tokens.

Tokens that look raw get vault-wrapped (an opaque handle) before AgentDB store; raw values never enter the namespace.

Store in browser-cookies:

npx -y @hyrex/cli@latest memory store --namespace browser-cookies \
  --key "<host>" \
  --value "{vault_handle:<opaque>, expiry:<iso>, aidefence_verdict:safe}"

Return the vault handle so downstream skills can mount it via the planned browser_cookie_use MCP tool.

Caveats

Never log raw cookie values, tokens, or passwords. The trajectory step for the auth POST records only the form field names and a <redacted> placeholder for values.

The browser_cookie_use MCP tool is reserved (ADR-0001 §7) but not yet implemented. Until then, downstream skills mount the vaulted cookies via a helper bash function in scripts/ (TBD).

Some sites bind cookies to a UA fingerprint; if a vaulted cookie fails on reuse, re-run browser-login. Do not attempt to fingerprint-match yourself.

This skill is not a credential storage solution. The vault-handle pattern protects against AgentDB leaks, not against compromise of the agent's environment.

Browser Login

When to use

Establishing reusable auth for a host the agent will visit repeatedly.

Refreshing a vaulted cookie set whose expiry has passed.

Capturing an MFA-protected session that requires interactive completion.

Steps

Open a recorded session via browser-record.

Handle MFA (when --mfa): pause for user input or invoke the user's TOTP helper; capture only the resulting redirect, not the code itself.

Capture cookies via browser_eval:

document.cookie  // returns the cookie string for the active document

Or use the Playwright context API where exposed.

AIDefence sanitize:

# Each cookie value passes aidefence_scan to flag raw secrets / high-entropy tokens.

Tokens that look raw get vault-wrapped (an opaque handle) before AgentDB store; raw values never enter the namespace.

Store in browser-cookies:

npx -y @hyrex/cli@latest memory store --namespace browser-cookies \
  --key "<host>" \
  --value "{vault_handle:<opaque>, expiry:<iso>, aidefence_verdict:safe}"

Return the vault handle so downstream skills can mount it via the planned browser_cookie_use MCP tool.

Caveats

Never log raw cookie values, tokens, or passwords. The trajectory step for the auth POST records only the form field names and a <redacted> placeholder for values.

The browser_cookie_use MCP tool is reserved (ADR-0001 §7) but not yet implemented. Until then, downstream skills mount the vaulted cookies via a helper bash function in scripts/ (TBD).

Some sites bind cookies to a UA fingerprint; if a vaulted cookie fails on reuse, re-run browser-login. Do not attempt to fingerprint-match yourself.

This skill is not a credential storage solution. The vault-handle pattern protects against AgentDB leaks, not against compromise of the agent's environment.

browser-login

Invocation

Tool Access

Context Preview

SKILL.md

Similar Skills

Help us improve

Help us improve

Find plugins for your project

browser-login

Invocation

Tool Access

Context Preview

SKILL.md

Browser Login

When to use

Steps

Caveats

Similar Skills

Help us improve

Browser Login

When to use

Steps

Caveats