ClawHub

Search

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Bright Data web-search helper whose credential and network use matches its purpose.

Install this only if you intend to use Bright Data for web search and discovery. Use the intended Bright Data account/API key, avoid sensitive search queries unless appropriate, and treat fetched page bodies as untrusted external content that may need privacy, copyright, and retention review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
82% confidence
Finding
This markdown file includes a `curl` example that sends requests to an external Bright Data API and explicitly uses `BRIGHTDATA_API_KEY` in the authorization header. While the example is functional, the surrounding text does not warn that it transmits data off-host and consumes credentials, which is the kind of disclosure SQP-2 expects for markdown guidance affecting privacy or system integrity.

External Transmission

Medium
Category
Data Exfiltration
Content
Only when CLI cannot be installed. SERP API endpoint via Web Unlocker. The CLI's `bdata search` prefers `BRIGHTDATA_SERP_ZONE` and falls back to `BRIGHTDATA_UNLOCKER_ZONE`; pick whichever is set in your environment:

```bash
curl -sS "https://api.brightdata.com/request" \
    -H "Authorization: Bearer $BRIGHTDATA_API_KEY" \
    -H "Content-Type: application/json" \
    -d "{
Confidence
60% confidence
Finding
curl -sS "https://api.brightdata.com/request" \ -H "Authorization: Bearer $BRIGHTDATA_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
Only when CLI cannot be installed. SERP API endpoint via Web Unlocker. The CLI's `bdata search` prefers `BRIGHTDATA_SERP_ZONE` and falls back to `BRIGHTDATA_UNLOCKER_ZONE`; pick whichever is set in your environment:

```bash
curl -sS "https://api.brightdata.com/request" \
    -H "Authorization: Bearer $BRIGHTDATA_API_KEY" \
    -H "Content-Type: application/json" \
    -d "{
Confidence
50% confidence
Finding
https://api.brightdata.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal