builtbyecho-research
PassAudited by ClawScan on May 14, 2026.
Overview
This appears to be a legitimate web research helper, but it runs npm/browser tooling and can optionally use API keys or upload reports, so install and share deliberately.
This skill is reasonable for web research tasks. Before installing, verify that you trust the npm package source, avoid using it to bypass site restrictions, keep API keys out of chat, and only upload reports or traces to Vaultline after checking that they do not contain sensitive information.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running the package gives it local code execution under the user's account.
The documented setup runs remote npm tooling and optionally installs a Playwright browser. This is central to a browser-rendered research CLI, but it means the user is trusting package and browser install provenance.
npx @builtbyecho/research --help; npm install -g @builtbyecho/research; npx playwright install chromium
Install only from a trusted source, consider pinning a known version, and review the npm package or repository before using it in sensitive environments.
The agent could fetch, render, or crawl websites on the user's behalf, which may affect site access policies or collect more information than intended if targets are vague.
The skill exposes web automation, rendering, crawling, and extraction commands. These are expected for research and the artifact includes explicit access-control limits.
Render a JavaScript-heavy page ... Crawl a site ... --depth 2 --max-pages 25 ... Do not bypass CAPTCHA, login walls, paywalls, robots/ToS restrictions
Give clear target sites, depth/page limits, and access rules; do not use it to bypass website restrictions.
If configured, the agent may use the user's API quota or account privileges for search or file upload operations.
The skill documents optional provider credentials for Brave search and Vaultline uploads. They are not required and there is no evidence of logging or misuse, but they are still sensitive account secrets.
export BRAVE_API_KEY="..." ... new Vaultline({ apiKey: process.env.VAULTLINE_API_KEY })Use least-privilege keys where possible, store them in environment variables rather than chat, and revoke them if no longer needed.
Reports or traces may leave the chat and become stored or shareable with other reviewers or agents.
The skill includes an optional pattern for sharing durable research artifacts through an external service for other agents or reviewers. This is disclosed, but the artifact does not specify Vaultline sharing permissions or retention.
upload the final report or trace bundle to Vaultline ... when multiple agents or human reviewers need the same source-backed artifact
Inspect reports and trace bundles before uploading, avoid including private or regulated data unless appropriate, and confirm Vaultline access controls and retention settings.