Back to skill
Skillv0.1.4
ClawScan security
Indeed Brightdata · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 7, 2026, 3:29 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and scripts align with its stated purpose (using Bright Data to scrape Indeed); it asks only for a Bright Data API key and uses curl/jq, but you should review the included _lib.sh to confirm the API endpoints before installing.
- Guidance
- This skill appears internally consistent: it asks only for BRIGHTDATA_API_KEY and uses curl/jq to call Bright Data and format results, storing data under ~/.config/indeed-brightdata/. Before installing, do the following: (1) Inspect scripts/_lib.sh to confirm LIB_BASE_URL and any remote endpoints are the official Bright Data API endpoints and that no unexpected third-party endpoints are contacted. (2) Confirm you are OK with the skill writing files to ~/.config/indeed-brightdata/ and creating symlinks under your agent's skills directories (install.sh). (3) Remember Bright Data is a paid scraping service—your API key may incur charges; do not share a high-privilege or shared account key unless you trust the skill. (4) If you are uncertain about the repository origin, prefer manual review over blind install. If you want, I can review the contents of scripts/_lib.sh and package.sh for endpoint and authentication details.
- Findings
[none] expected: No pre-scan injection signals or regex findings were reported. The absence of findings does not obviate manual review of _lib.sh and other scripts for endpoint and auth handling.
Review Dimensions
- Purpose & Capability
- okName/description (Indeed scraping via Bright Data) match the requested credential (BRIGHTDATA_API_KEY) and required binaries (curl, jq). The scripts implement job/company searches, async triggers, polling, result formatting and local storage under ~/.config/indeed-brightdata/, which is consistent with the declared purpose.
- Instruction Scope
- noteSKILL.md directs the agent to run local shell scripts that call a Bright Data API and format results. The scripts reference only local config paths under ~/.config/indeed-brightdata/ and Bright Data endpoints (e.g., api.brightdata.com in one script). You should inspect scripts/_lib.sh (defines LIB_BASE_URL, auth header construction, file-write locations, and helper functions) to confirm there are no unexpected external endpoints or use of unrelated environment variables.
- Install Mechanism
- okThere is no remote installer or archive download; installation is a local install.sh that creates symlinks or packages a ZIP for desktop upload. That is low-risk compared with arbitrary remote downloads. The install script does create symlinks under platform skill directories (e.g., ~/.openclaw/skills/), which is expected for skills installation.
- Credentials
- okOnly BRIGHTDATA_API_KEY is required and declared as the primary credential, which is appropriate for a Bright Data integration. I found no other required secrets or unrelated env variables in the visible scripts. The skill stores config/data under ~/.config/indeed-brightdata/ and results/*.json, which is proportionate to its function.
- Persistence & Privilege
- notealways:false and normal autonomous invocation. The skill persists data locally under ~/.config/indeed-brightdata/ (datasets.json, pending.json, history.json, results/). The installer writes symlinks into platform-specific skill directories—expected for skill installation—so verify you trust the repository before granting write access to those locations.