Skip to main content

page-agent

Integrates a JavaScript GUI agent into web applications, enabling users to interact with the UI using natural language commands.

Install this skill

or
49/100

Security score

The page-agent skill was audited on May 17, 2026 and we found 21 security issues across 4 threat categories, including 1 high-severity. Review the findings below before installing.

Categories Tested

Security Issues

medium line 141

Template literal with variable interpolation in command context

SourceSKILL.md
141javascript:(function(){var s=document.createElement('script');s.src=`http://localhost:5174/page-agent.demo.js?t=${Math.random()}`;s.onload=()=>console.log('PageAgent ready!');document.head.appendChild
high line 173

Curl to non-GitHub URL

SourceSKILL.md
1732. `curl -I http://localhost:5174/page-agent.demo.js` returns `HTTP/1.1 200 OK` with `Content-Type: application/javascript`
low line 74

Access to .env file

SourceSKILL.md
74apiKey: process.env.LLM_API_KEY, // never hardcode
medium line 112

Access to .env file

SourceSKILL.md
112Create `.env` in the repo root with an LLM endpoint. Example:
medium line 146

Access to .env file

SourceSKILL.md
146**Warning:** your `.env` `LLM_API_KEY` is inlined into the IIFE bundle during dev builds. Don't share the bundle. Don't commit it. Don't paste the URL into Slack. (Verified: grepping the public dev bu
medium line 182

Access to .env file

SourceSKILL.md
182- **Restart dev server** after editing `.env` in Path 3 — Vite only reads env at startup.
low line 47

External URL reference

SourceSKILL.md
47<script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/iife/page-agent.demo.js" crossorigin="true"></script>
low line 55

External URL reference

SourceSKILL.md
55javascript:(function(){var s=document.createElement('script');s.src='https://cdn.jsdelivr.net/npm/[email protected]/dist/iife/page-agent.demo.js';document.head.appendChild(s);})();
low line 73

External URL reference

SourceSKILL.md
73baseURL: 'https://dashscope.aliyuncs.com/compatible-mode/v1',
low line 89

External URL reference

SourceSKILL.md
89| Qwen / DashScope | `https://dashscope.aliyuncs.com/compatible-mode/v1` | `qwen3.5-plus` |
low line 90

External URL reference

SourceSKILL.md
90| OpenAI | `https://api.openai.com/v1` | `gpt-4o-mini` |
low line 91

External URL reference

SourceSKILL.md
91| Ollama (local) | `http://localhost:11434/v1` | `qwen3:14b` |
low line 92

External URL reference

SourceSKILL.md
92| OpenRouter | `https://openrouter.ai/api/v1` | `anthropic/claude-sonnet-4.6` |
low line 98

External URL reference

SourceSKILL.md
98- Allowlist and data-masking hooks exist for locking down what the agent can touch — see https://alibaba.github.io/page-agent/ for the full option list
low line 117

External URL reference

SourceSKILL.md
117LLM_BASE_URL=https://api.openai.com/v1
low line 123

External URL reference

SourceSKILL.md
123LLM_BASE_URL=http://localhost:11434/v1
low line 133

External URL reference

SourceSKILL.md
133npm run dev:demo # serve IIFE bundle at http://localhost:5174/page-agent.demo.js
low line 141

External URL reference

SourceSKILL.md
141javascript:(function(){var s=document.createElement('script');s.src=`http://localhost:5174/page-agent.demo.js?t=${Math.random()}`;s.onload=()=>console.log('PageAgent ready!');document.head.appendChild
low line 172

External URL reference

SourceSKILL.md
1721. `npm run dev:demo` prints `Accepting connections at http://localhost:5174`
low line 173

External URL reference

SourceSKILL.md
1732. `curl -I http://localhost:5174/page-agent.demo.js` returns `HTTP/1.1 200 OK` with `Content-Type: application/javascript`
low line 189

External URL reference

SourceSKILL.md
189- Docs: https://alibaba.github.io/page-agent/
Scanned on May 17, 2026
View Security Dashboard
Installation guide →
GitHub Stars 153.5K
Rate this skill
Categorydevelopment
UpdatedMay 20, 2026
openclawfrontendapifrontend-developerproduct-marketergrowth-marketerux-designerproduct-managerdevelopmentmarketingdesignproduct
NousResearch/hermes-agent