browser-login

Original🇺🇸 English
Translated

Drive an authentication flow once, sanitize cookies through AIDefence, and vault a reusable cookie handle in browser-cookies for future sessions

5installs
Sourceruvnet/ruflo
Added on

NPX Install

npx skill4agent add ruvnet/ruflo browser-login

Tags

Translated version includes tags in frontmatter
browser-authenticationcookie-vaultingAIDefenceAgentDBbrowser-skills

SKILL.md Content

View Translation Comparison →

Browser Login

Authenticate against a target site once, then vault the resulting session credentials so subsequent skills (
browser-extract
, 
browser-form-fill
, 
browser-test
) can reuse them without re-driving the auth flow. Borrows the pattern from Browserbase's 
cookie-sync/SKILL.md
but stores the resulting context in AgentDB rather than on a hosted backend.

When to use

  • Establishing reusable auth for a host the agent will visit repeatedly.
  • Refreshing a vaulted cookie set whose expiry has passed.
  • Capturing an MFA-protected session that requires interactive completion.

Steps

  1. Open a recorded session via 
    browser-record
    .
  2. Drive the auth flow — fill credentials with 
    browser_fill
    / 
    browser_type
    . Credentials come from the user or environment; do not read them from 
    .env
    or paste them into the trajectory args.
  3. Handle MFA (when 
    --mfa
    ): pause for user input or invoke the user's TOTP helper; capture only the resulting redirect, not the code itself.
  4. Capture cookies via 
    browser_eval
    :
    javascript
    document.cookie  // returns the cookie string for the active document
    Or use the Playwright context API where exposed.
  5. AIDefence sanitize:
    bash
    # Each cookie value passes aidefence_scan to flag raw secrets / high-entropy tokens.
    Tokens that look raw get vault-wrapped (an opaque handle) before AgentDB store; raw values never enter the namespace.
  6. Store in 
    browser-cookies
    :
    bash
    npx -y @claude-flow/cli@latest memory store --namespace browser-cookies \
  --key "<host>" \
  --value "{vault_handle:<opaque>, expiry:<iso>, aidefence_verdict:safe}"
  7. Return the vault handle so downstream skills can mount it via the planned 
    browser_cookie_use
    MCP tool.

Caveats

  • Never log raw cookie values, tokens, or passwords. The trajectory step for the auth POST records only the form field names and a 
    <redacted>
    placeholder for values.
  • The 
    browser_cookie_use
    MCP tool is reserved (ADR-0001 §7) but not yet implemented. Until then, downstream skills mount the vaulted cookies via a helper bash function in 
    scripts/
    (TBD).
  • Some sites bind cookies to a UA fingerprint; if a vaulted cookie fails on reuse, re-run 
    browser-login
    . Do not attempt to fingerprint-match yourself.
  • This skill is not a credential storage solution. The vault-handle pattern protects against AgentDB leaks, not against compromise of the agent's environment.