Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ClearWeb
v1.0.0Complete web access for AI agents via Bright Data CLI. Replaces native web_fetch, web_search, and browser tools with reliable, unblocked access to the entire...
⭐ 1· 2.5k·1 current·1 all-time
byMeir Kadosh@meirk-brd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (giving agents access to Bright Data via the bdata CLI) matches the runtime instructions: search, scrape, pipelines, geo-targeting, CAPTCHA solving, etc. However the registry metadata lists no install spec and no required credentials, while the SKILL.md clearly requires installing the bdata CLI and authenticating (via OAuth, device flow, or API key). That metadata/instruction mismatch is inconsistent.
Instruction Scope
The SKILL.md directs the agent to install the CLI (curl https://cli.brightdata.com/install.sh | bash or npm install -g), to run interactive or headless logins that persist credentials, and to prefer bdata over native web tools. Instructions reference environment variables (BRIGHTDATA_API_KEY, BRIGHTDATA_UNLOCKER_ZONE, BRIGHTDATA_SERP_ZONE, BRIGHTDATA_POLLING_TIMEOUT) and config file locations for stored credentials. While actions are aligned with the Bright Data use-case, they involve network installs, persistent secret storage, and replacing other web tools — all of which broaden the skill's operational scope beyond merely issuing web requests.
Install Mechanism
There is no install specification in the registry, yet SKILL.md instructs running a remote install script piped to bash (curl ... | bash) or installing from npm. Executing a remote install script is a high-risk pattern even when the domain appears official (cli.brightdata.com). The omission of an install spec in metadata is an inconsistency that removes opportunity for review/controls at install time.
Credentials
Registry metadata declares no required environment variables or primary credential, but the documentation references and encourages use of BRIGHTDATA_API_KEY (and other BRIGHTDATA_* env vars) and instructs interactive login that stores credentials. Asking for persistent Bright Data credentials (API key or OAuth tokens) is expected for a Bright Data integration, but the metadata omission is deceptive and prevents upfront vetting of secret access.
Persistence & Privilege
The skill does not request always:true and does not modify other skills, but it instructs the agent/user to perform a login that persists credentials to disk (standard Bright Data behavior). Persisted credentials and the ability to route agent web traffic through Bright Data increase blast radius; this is expected for the advertised capability but worth explicit user consent and awareness.
What to consider before installing
This skill appears to be what it says (a Bright Data CLI helper) but the package metadata omits important facts: the SKILL.md tells you to install software from the network and to provide/store Bright Data credentials (API key or OAuth/device login). Before installing: (1) Do not blindly run curl ... | bash — inspect the installer URL and prefer manual install or the npm package after reviewing it. (2) Confirm you trust brightdata.com and understand billing/usage (Bright Data is a paid proxy/scraping service). (3) Be aware that login stores credentials on disk and routing agent traffic through Bright Data can send fetched pages and queries outside your environment — avoid supplying high-privilege secrets. (4) Consider running this in an isolated environment (container/VM) first and limit the agent's autonomous invocation or credential scope. (5) If you proceed, add the Bright Data API key requirement to the skill metadata so the credential request is explicit, and audit any installed script before execution.Like a lobster shell, security has layers — review code before you run it.
latestvk976xayjzcaccpc8m9btkdnh7d83gn8r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.