v1.0.0

Bright Data

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:52 AM.

Analysis

This looks like a straightforward Bright Data search and scraping wrapper, but it uses a Bright Data API key and can send chosen queries or URLs to Bright Data, including for CAPTCHA-bypass scraping.

GuidanceInstall this only if you intend to use Bright Data for web search/scraping. Use a scoped API key and zone, watch for provider costs, avoid private or tokenized URLs, and make sure your scraping complies with the target site’s rules and your legal obligations.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

Scrape any webpage as markdown. Bypasses bot detection and CAPTCHA.

The broad scraping and bot/CAPTCHA-bypass capability is clearly disclosed and matches the skill purpose, but it is a capability users should consciously direct and use only on appropriate targets.

User impactThe skill can help an agent retrieve pages through a web-unlocker service, which may have legal, terms-of-service, or privacy implications depending on the target page.

RecommendationUse it only for authorized or acceptable scraping targets, and confirm sensitive or private URLs before asking the agent to scrape them.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none

The artifact does not identify an official source or homepage, so users cannot verify from metadata whether it is published by Bright Data, even though the included code is transparent and simple.

User impactUsers have less provenance information for deciding whether to trust the skill publisher.

RecommendationReview the included scripts before use and prefer an official or verifiable publisher if provenance is important.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

scripts/search.sh

-H "Authorization: Bearer $BRIGHTDATA_API_KEY"

The script authenticates to Bright Data using an environment-provided API key. This is expected for the integration, but it gives the skill access to a provider credential that may incur usage or billing.

User impactIf the key is available in the environment, the skill can make Bright Data API requests under that account.

RecommendationUse a restricted Bright Data key/zone where possible, monitor usage, and ensure the registry metadata is updated to declare the required env vars and primary credential.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

scripts/scrape.sh

--arg url "$URL" ... curl -s -X POST 'https://api.brightdata.com/request' ... -d "$PAYLOAD"

The user-supplied target URL is sent to Bright Data in the API request. This is purpose-aligned, but it means URLs and scraping requests are shared with the external provider.

User impactSensitive URLs, private links, or confidential search targets could be disclosed to Bright Data if the user or agent submits them.

RecommendationAvoid submitting private, tokenized, or confidential URLs and queries unless sharing them with Bright Data is acceptable.