ClawHub
Back to skill

Security audit

bee-visitor-recent

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Bee Website Builder visitor-analytics API wrapper, but it returns sensitive visitor data that users should handle carefully.

Install only if you are authorized to access this Bee visitor analytics data. Treat returned IPs, URLs, referrers, user agents, and visit history as sensitive personal or business data; avoid pasting the API key directly into chat, use a least-privilege key, and do not retain or share outputs beyond your legitimate analytics purpose.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README documents access to personal and quasi-identifying visitor data such as IP addresses, referrer URLs, current URLs, timestamps, and User-Agent strings, but provides no privacy, consent, retention, or access-control guidance. In a skill intended for agent use, this omission increases the risk of over-collection, unauthorized profiling, and downstream misuse of regulated personal data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This skill is designed to retrieve and analyze recent visitor data including IP addresses, referrers, URLs, timestamps, and user agents, which can constitute personal data or enable profiling. The documentation provides no privacy notice, lawful-use constraints, minimization guidance, or user-impact warning, increasing the risk of covert surveillance, mishandling of sensitive data, and regulatory noncompliance.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The manifest explicitly models collection and return of sensitive visitor analytics data, including IP addresses, referrer URLs, current URLs, user agents, screen resolution, and detailed visit timestamps, but it does not describe any user-facing privacy notice, consent flow, minimization, or retention controls. This creates a real privacy and compliance risk because the skill enables access to personal data that can be used to identify or profile visitors without any disclosed safeguards in the skill contract.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal