bx-search
bx-search · v1.4.0 · by
51.9
Trust Score
0
Trust Tier
danger
Badge
Score Breakdown
| Factor | Score | Weight |
|---|---|---|
| Static | 0.0 | 15% |
| Permission | 95.0 | 15% |
| Poison | 100.0 | 15% |
| Clickfix | 100.0 | 15% |
| Credential | 0.0 | 15% |
| Twostage | 5.0 | 10% |
| Infrastructure | 25.0 | 5% |
| Typosquat | 100.0 | 5% |
| Age | 28.3 | 3% |
| Popularity | 0.0 | 2% |
Scan Results
STATIC — Score: 0
[CRITICAL] Remote code download and execution via curl pipe
(line 76)
curl -fsSL https://raw.githubusercontent.com/brave/brave-search-cli/main/scripts/install.sh | sh
[CRITICAL] Remote script download piped to shell execution
(line 76)
curl -fsSL https://raw.githubusercontent.com/brave/brave-search-cli/main/scripts/install.sh | sh
[MEDIUM] Fetching content from non-OpenClaw GitHub repositories
(line 76)
curl -fsSL https://raw.githubusercontent.com/brave/brave-search-cli/main/scripts/install.sh | sh
[MEDIUM] Fetching content from non-OpenClaw GitHub repositories
(line 81)
powershell -ExecutionPolicy Bypass -c "irm https://raw.githubusercontent.com/brave/brave-search-cli/main/scripts/install
[MEDIUM] Fetching content from non-OpenClaw GitHub repositories
(line 280)
- **Community-maintained**: Leverage existing Goggles like [Tech Blogs](https://raw.githubusercontent.com/brave/goggles-
[MEDIUM] Fetching content from non-OpenClaw GitHub repositories
(line 353)
--goggles 'https://raw.githubusercontent.com/brave/goggles-quickstart/main/goggles/tech_blogs.goggle'
PERMISSION — Score: 95
[LOW] Skill appears to use network but declares no permissions
POISON — Score: 100
No findings.
CLICKFIX — Score: 100
No findings.
INFRASTRUCTURE — Score: 25
[MEDIUM] GitHub release download from non-OpenClaw repo (potential payload hosting)
(line 21)
"url": "https://github.com/brave/brave-search-cli/releases/download/v1.4.0/bx-1.4.0-linux-amd64"
[MEDIUM] GitHub release download from non-OpenClaw repo (potential payload hosting)
(line 29)
"url": "https://github.com/brave/brave-search-cli/releases/download/v1.4.0/bx-1.4.0-linux-arm64"
[MEDIUM] GitHub release download from non-OpenClaw repo (potential payload hosting)
(line 37)
"url": "https://github.com/brave/brave-search-cli/releases/download/v1.4.0/bx-1.4.0-darwin-arm64"
[MEDIUM] GitHub release download from non-OpenClaw repo (potential payload hosting)
(line 45)
"url": "https://github.com/brave/brave-search-cli/releases/download/v1.4.0/bx-1.4.0-windows-amd64.exe"
[MEDIUM] GitHub release download from non-OpenClaw repo (potential payload hosting)
(line 53)
"url": "https://github.com/brave/brave-search-cli/releases/download/v1.4.0/bx-1.4.0-windows-arm64.exe"
TWOSTAGE — Score: 5
[CRITICAL] Download piped directly to interpreter (two-stage loader)
(line 76)
curl -fsSL https://raw.githubusercontent.com/brave/brave-search-cli/main/scripts/install.sh | sh
CREDENTIAL — Score: 0
[CRITICAL] Browser credential or cookie file access
(line 280)
- **Community-maintained**: Leverage existing Goggles like [Tech Blogs](https://raw.githubusercontent.com/brave/goggles-
[CRITICAL] Browser credential or cookie file access
(line 319)
Separate multiple rules with newlines. Full DSL + pattern syntax: [goggles-quickstart](https://github.com/brave/goggles-
[CRITICAL] Browser credential or cookie file access
(line 353)
--goggles 'https://raw.githubusercontent.com/brave/goggles-quickstart/main/goggles/tech_blogs.goggle'
[CRITICAL] Browser credential or cookie file access
(line 356)
Community Goggles: [brave/goggles-quickstart](https://github.com/brave/goggles-quickstart) | [Discover page](https://sea
TYPOSQUAT — Score: 100
No findings.