Audit context
Browser automation for recurring invoice downloads
A finance operations team wants an AI agent to sign in to vendor portals, download invoices, store files, and report missing documents.
Public docs plus sandbox traces
Reviewed API docs, auth settings, sample code, sandbox run logs, screenshots, a redacted job response, and a list of failure cases from previous manual runs.
Executive recommendation
Suitable for a bounded pilot after adding safeguards and clearer receipts.
Good inspectability and scriptability; weaker bounded action and recovery.
Run against 3 low-risk vendor portals before expanding scope.
Scorecard summary
| Area | Observed evidence | Assessment |
|---|---|---|
| Inspectability | API docs list session creation, artifact retrieval, timeout settings, and log access. Error catalogue is incomplete. | Mostly ready |
| Scriptability | Workflow can be run through API calls without manual UI control. File retrieval has stable URLs. | Ready for pilot |
| Bounded action | Sandbox token has workspace-wide access. No per-vendor or read-only credential mode was shown. | Needs constraint |
| Verification | Jobs expose status and artifact IDs, but the final response does not summarize which invoices were downloaded or skipped. | Needs receipt design |
| Recovery | Timeouts expose partial logs, but retry guidance is ambiguous and could duplicate downloads. | Needs retry policy |
| Workflow fit | Portal variability remains the main risk. The tool can support the loop if each vendor is treated as a separate adapter with fixtures. | Conditional |
Evidence excerpts
The real report would cite exact docs, response IDs, timestamps, screenshots, and redacted traces. This sample shows the level of specificity without relying on a real client system.
{
"job_id": "job_123_example",
"status": "completed_with_warnings",
"started_at": "2026-05-11T09:14:22Z",
"artifacts": ["invoice_pdf_001", "run_log_001", "screenshot_final_001"],
"warning": "Vendor B portal timed out after file download; final account state not re-checked.",
"missing_receipt_fields": ["vendor_account_id", "file_hash", "dedupe_key", "next_status_check_url"]
}Priority findings
- Add an action receipt for every download. Each completed run should return vendor account, invoice period, artifact ID, file hash, storage path, status URL, and whether the portal state was re-checked.
- Separate credentials by vendor or task. The pilot should not depend on a token that can read or mutate every workspace integration.
- Define safe retries before scaling. Retries should use idempotency keys or a dedupe check so partial success does not create duplicate files or duplicate accounting entries.
- Keep a human approval gate for new portals. Each new vendor portal should be reviewed with a short fixture run before an agent uses it in the recurring workflow.
Recommended pilot plan
| Step | Scope | Pass condition |
|---|---|---|
| 1 | Three known vendor portals, sandbox or low-risk accounts only. | Agent downloads expected invoices and returns complete receipts. |
| 2 | Introduce controlled failures: timeout, missing invoice, changed selector, duplicate run. | Agent reports uncertainty and avoids unsafe retries. |
| 3 | Review logs and artifacts with finance owner. | Owner can reconcile each action from receipt to stored file. |
Want this for your tool or workflow?
Use the audit inquiry form to describe the tool, the agent workflow, and the decision you need to make. The work starts with a fit check before it becomes a paid project.