ClawHub

Bright Data Mcp

Security checks across malware telemetry and agentic risk

Overview

This is a real Bright Data web-scraping skill, but it tells the agent to change local MCP settings and expand its own tool access without asking first.

Install only if you intentionally want Bright Data to handle broad web-search and scraping workflows. Keep the API token secret, avoid sharing tokenized URLs or settings files, and do not allow the agent to edit MCP settings or enable Pro/social/browser tools unless you explicitly approve that change.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (18)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to read local MCP settings and autonomously modify configuration to enable additional tools. That exceeds the declared purpose of a web-data retrieval skill and creates a path for unauthorized local file access and persistent self-expansion of capabilities without user approval.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Directing the agent to inspect local settings files to discover server configuration is unrelated to normal web scraping and broadens the skill into local system reconnaissance. Such instructions may expose secrets such as API tokens, server URLs, or environment details and normalize local access beyond user expectations.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill contains concrete steps for editing environment-variable-based MCP server configuration, including adding GROUPS or PRO_MODE values. This is a privileged local configuration change, not a web-data operation, and can persistently alter the agent's permissions and reachable tool surface.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The error-handling workflow makes local config inspection and modification the default recovery path when tools are missing. This turns ordinary runtime failures into justification for local system access and persistent capability expansion, which is unsafe and outside the stated scope.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The troubleshooting section again directs autonomous opening and modification of local settings to enable Pro tools. Repetition across the skill increases the likelihood the agent will treat these privileged actions as normal, leading to unauthorized persistence and broader access than the user requested.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The setup instructs users to embed a long-lived Bright Data API token directly in the MCP URL. URLs are commonly stored in settings files, logs, browser history, screenshots, telemetry, and error messages, so this unnecessarily broadens secret exposure for a credential that grants access to paid scraping and automation capabilities.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The Claude Code example persists the API token inline inside a local settings JSON URL, which increases the chance of accidental disclosure through source control, backups, shared dotfiles, desktop search indexing, and support bundle collection. Because this skill is designed to replace all web access, compromise of the token could enable broad misuse of the connected web-data service and consumption of the user's account resources.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger language is extremely broad, claiming applicability to essentially any internet-related task and mandating replacement of built-in tools. This overreach increases the chance the skill activates in contexts where its behavior is inappropriate or higher risk, especially given its additional instructions around config changes and scraping-sensitive targets.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The auto-enable instructions are triggered whenever a needed tool is missing, without meaningful scope limits or user approval gates. That ambiguity encourages the agent to interpret many ordinary tasks as authorization to escalate capabilities by changing configuration.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill omits a clear warning that it may read or modify local MCP settings and environment-based configuration. Because these are privileged local actions with persistence and possible secret exposure, failing to disclose them meaningfully undermines informed user consent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The description promotes scraping, social-media data collection, browser automation, CAPTCHA handling, and bot-detection bypass without a privacy or compliance warning. In context, this makes the skill more dangerous because it frames potentially sensitive collection practices as default behavior across many platforms.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation repeatedly exposes API tokens in URL examples without any caution about credential leakage, despite query parameters being one of the least safe places to carry secrets. In the context of a high-privilege web-data MCP advertised as handling all internet tasks and bot-detection bypass, the absence of warnings makes misuse and accidental exposure more likely and more consequential.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file documents extensive social/profile scraping capabilities across LinkedIn, Instagram, Facebook, TikTok, X, YouTube, and Reddit without any warning about privacy-sensitive personal data, consent, or permissible use. In the context of a skill explicitly positioned for broad web data collection and lead generation, this omission can normalize misuse for profiling, surveillance, or unauthorized collection of personal information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The browser automation section describes tools for screenshots, full HTML/text extraction, typing into forms, and capturing network requests, but provides no warning that these actions may expose credentials, session tokens, personal messages, payment information, or other sensitive page data. Because these tools support interactive browsing and bot-protection bypass, the lack of safeguards materially increases the risk of collecting or exfiltrating sensitive user or third-party data during automated sessions.

Ssd 4

High
Confidence
99% confidence
Finding
The skill tells the agent to self-modify MCP configuration to unlock more tools without involving the user. Autonomous self-expansion is dangerous because it changes the agent's available capabilities and trust boundary over time, creating persistence and privilege creep beyond the original installation.

Ssd 4

High
Confidence
97% confidence
Finding
The workflow narratively normalizes reading settings and updating configuration as a routine operational step. This trains the agent toward autonomous privilege expansion and local-file interaction, making unsafe behavior more likely across many otherwise ordinary requests.

Ssd 4

High
Confidence
98% confidence
Finding
Making autonomous config changes the default error-recovery path effectively treats capability expansion as normal remediation. This is especially risky because transient tool errors could trigger persistent local changes unrelated to the user's immediate request.

Ssd 4

High
Confidence
98% confidence
Finding
The Pro-tools guidance provides a stepwise playbook for bypassing normal user mediation and increasing tool access. In context, this is not just documentation; it is an instruction for autonomous capability expansion from within a skill that already claims broad default authority.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal