ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Brightdata

v1.0.0

Google search results and web page scraping via Bright Data APIs. Use when the agent needs structured search results, paginated SERP retrieval, or clean mark...

0· 53·0 current·0 all-time
by@zhao-weijie
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description claim Bright Data SERP and scraping functionality; the scripts invoke https://api.brightdata.com/request and require BRIGHTDATA_API_KEY and zone IDs. Required binaries (bash, curl, sed) are exactly those used by the scripts. No unrelated credentials or tools are requested.
Instruction Scope
SKILL.md and the scripts confine behavior to making POST requests to Bright Data and returning the API responses. The scripts do not read other system files or external endpoints. Minor issues: the search script only replaces spaces with '+' instead of full URL-encoding (could produce malformed requests for special characters), and responses are echoed raw (may include large or sensitive page content). These are implementation/usability notes, not evidence of malicious scope creep.
Install Mechanism
This is an instruction-only skill with included shell scripts and no install spec that downloads or executes remote code. No installers, remote downloads, or archive extraction steps are present.
Credentials
The skill requires BRIGHTDATA_API_KEY plus zone identifiers for SERP and Unlocker, which are appropriate and expected for Bright Data APIs. No unrelated secrets or system config paths are requested.
Persistence & Privilege
Skill is not marked always:true and does not request persistent system-wide configuration changes. The default autonomous-invocation setting is unchanged (normal for skills) and not combined with other red flags.
Assessment
This skill appears coherent: it simply wraps Bright Data SERP and Unlocker API calls and requires your Bright Data API key and zone IDs. Before installing, ensure you trust the skill source (owner unknown), understand that providing the API key lets the skill make requests and consume your account quota, and that scraped pages may include sensitive data. If you proceed, scope and monitor the API key (rotate/revoke if needed), review the scripts yourself (they return raw API responses and do minimal input encoding), and prefer to install only from a verified publisher when possible.

Like a lobster shell, security has layers — review code before you run it.

latestvk976zkcvjtnqpzh7rxkgqn7rh584mj3s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binsbash, curl, sed
EnvBRIGHTDATA_API_KEY, BRIGHTDATA_SERP_ZONE, BRIGHTDATA_UNLOCKER_ZONE
Primary envBRIGHTDATA_API_KEY

Comments