Bright Data
PassAudited by ClawScan on May 1, 2026.
Overview
This looks like a straightforward Bright Data search and scraping wrapper, but it uses a Bright Data API key and can send chosen queries or URLs to Bright Data, including for CAPTCHA-bypass scraping.
Install this only if you intend to use Bright Data for web search/scraping. Use a scoped API key and zone, watch for provider costs, avoid private or tokenized URLs, and make sure your scraping complies with the target site’s rules and your legal obligations.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can help an agent retrieve pages through a web-unlocker service, which may have legal, terms-of-service, or privacy implications depending on the target page.
The broad scraping and bot/CAPTCHA-bypass capability is clearly disclosed and matches the skill purpose, but it is a capability users should consciously direct and use only on appropriate targets.
Scrape any webpage as markdown. Bypasses bot detection and CAPTCHA.
Use it only for authorized or acceptable scraping targets, and confirm sensitive or private URLs before asking the agent to scrape them.
If the key is available in the environment, the skill can make Bright Data API requests under that account.
The script authenticates to Bright Data using an environment-provided API key. This is expected for the integration, but it gives the skill access to a provider credential that may incur usage or billing.
-H "Authorization: Bearer $BRIGHTDATA_API_KEY"
Use a restricted Bright Data key/zone where possible, monitor usage, and ensure the registry metadata is updated to declare the required env vars and primary credential.
Sensitive URLs, private links, or confidential search targets could be disclosed to Bright Data if the user or agent submits them.
The user-supplied target URL is sent to Bright Data in the API request. This is purpose-aligned, but it means URLs and scraping requests are shared with the external provider.
--arg url "$URL" ... curl -s -X POST 'https://api.brightdata.com/request' ... -d "$PAYLOAD"
Avoid submitting private, tokenized, or confidential URLs and queries unless sharing them with Bright Data is acceptable.
Users have less provenance information for deciding whether to trust the skill publisher.
The artifact does not identify an official source or homepage, so users cannot verify from metadata whether it is published by Bright Data, even though the included code is transparent and simple.
Source: unknown; Homepage: none
Review the included scripts before use and prefer an official or verifiable publisher if provenance is important.