ClawHub

Brd Browser Debug

Security checks across malware telemetry and agentic risk

Overview

This is a read-only Bright Data troubleshooting skill, with some broad trigger wording users should scope carefully.

Install this only if you want an agent to inspect Bright Data browser-session diagnostics. Use a least-privileged Bright Data API token, avoid pasting the token into chat, and explicitly provide a session ID or narrow filters before asking it to debug scraper issues.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger examples in metadata include broad phrases like 'scraper not working', 'script didn't work', and 'found 0', which are not uniquely tied to Bright Data. In an agent environment, this can cause the skill to activate on unrelated requests and initiate external API access using stored credentials, creating unintended data disclosure and overreach.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The auto-detect section says to run whenever a Bright Data browser issue appears in conversation, including generic 'empty/unexpected results' cases, but it does not define strict boundaries for non-Bright-Data scraping issues. That ambiguity can lead to unauthorized or unnecessary calls to Bright Data's API based on loose contextual matching, exposing session metadata and consuming privileged access without clear user intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The setup and usage sections instruct use of an API key and remote session lookups but do not warn that session metadata like target URLs, timestamps, bandwidth, end URLs, and error details will be sent to Bright Data. Users may unknowingly trigger retrieval and exposure of potentially sensitive operational or customer-related browsing metadata.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal