ClawHub
Back to skill

Security audit

Bright Data

Security checks across malware telemetry and agentic risk

Overview

This is a transparent Bright Data wrapper for search and scraping, with privacy and acceptable-use considerations but no hidden or destructive behavior found.

Install only if you intend to use Bright Data for web scraping or search. Use a scoped API key and zone, monitor usage and costs, avoid submitting sensitive URLs or confidential queries, and confirm that your scraping complies with applicable law and the target site’s rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes shell scripts but does not declare corresponding permissions, creating a capability/permission mismatch that can bypass user expectations and security review controls. In this context, the shell capability is used to make outbound requests to Bright Data, so the undeclared access increases the risk of unnoticed external network activity and command execution pathways.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Advertising that the skill can scrape 'any webpage' is overly broad and encourages unrestricted use against arbitrary targets, including sensitive, prohibited, or legally restricted sites. The added claim that it bypasses bot detection and CAPTCHA makes the capability more dangerous because it signals intentional circumvention of access controls rather than ordinary browsing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description omits a warning that user-provided URLs and search queries are sent to Bright Data, a third-party provider, which can expose sensitive research targets, internal URLs, tokens in query strings, or confidential search intent. Because this skill is specifically built around external scraping/search APIs, the lack of disclosure materially increases the risk of inadvertent data exfiltration.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.