ClawHub

Bright Data Best Practices

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Bright Data integration skill whose sensitive examples are expected for its purpose, but users should handle credentials, scraped data, and installer commands carefully.

Install only if you intend to use Bright Data services. Prefer npm/npx or inspect any downloaded installer before running it, keep API keys and Browser API passwords out of chats, logs, and repositories, avoid forwarding production session cookies or sensitive headers, do not submit internal/private/regulated data without approval, and monitor Bright Data billing and legal/terms compliance for scraping targets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation includes credential-bearing connection string patterns and fallback examples that embed `username:password` directly in code and WebSocket/HTTPS URLs. Even though placeholders are used, this normalizes hardcoding secrets, increases the chance developers will paste real credentials into source files, logs, screenshots, or error messages, and can lead to account compromise if those secrets are later exposed.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The document instructs users to authenticate with a bearer API key and later promotes webhook and external storage delivery, but it does not warn that submitted URLs, scraped content, job metadata, and credentials may be transmitted to and retained by a third-party service. In a coding-assistant context, omission of privacy and data-handling cautions can cause developers to send sensitive or regulated data off-platform without appropriate review.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The examples instruct users to send target URLs and retrieved page content to Bright Data's external infrastructure but provide no warning that request metadata and scraped data leave the user's environment. In a developer-assistant context, this omission is risky because users may apply the pattern to internal, authenticated, or regulated data sources without realizing they are disclosing that data to a third party.

Missing User Warnings

High
Confidence
99% confidence
Finding
This section encourages use of custom headers and cookies through third-party scraping infrastructure without a strong warning that session tokens, personalization cookies, or other sensitive headers may be exposed to an external provider. Even though it notes some restrictions, it still normalizes forwarding session context and does not clearly prohibit transmitting secrets or explain the account-takeover/privacy implications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal