ClawHub

Brightdata

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Bright Data onboarding/search/scraping skill, but installing it gives an agent broad web access and stores Bright Data credentials locally.

Install only if you trust Bright Data and want the agent to use Bright Data for web access. Prefer npm/npx over a pipe-to-shell installer when possible, review where the API key is stored, limit MCP/tool groups to what you need, and do not send secrets, private URLs, or restricted targets through the service without explicit approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill invokes shell-based tools (`bash`, `curl`, `sed`) and executable scripts, but the metadata does not declare corresponding permissions or constraints. This creates a capability/visibility gap where an agent or reviewer may underestimate the skill's ability to make outbound requests and execute shell commands, reducing governance and increasing misuse risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description does not warn that user queries and target URLs are sent to Bright Data services, which can expose sensitive prompts, identifiers, or internal URLs to a third party. Because this skill is specifically designed for web search and scraping, the omission increases the chance that an agent forwards sensitive data without informed user consent.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
# Bright Data — Web Search & Scraping

Two tools: **search** (Google SERP results as JSON) and **scrape** (any URL to clean markdown). Both bypass bot detection and CAPTCHAs.

## Tools
Confidence
82% confidence
Finding
tools: *

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal