Is aluvia-connectivity/aluvia safe?

The core function of this skill routes every browser request through Aluvia's residential proxy infrastructure. This means Aluvia's servers can observe, log, and potentially modify all HTTP and HTTPS traffic the agent processes through the proxy, including any sensitive content, session tokens, or credentials transmitted during browsing tasks.

SKILL.md instructs the agent to run npm install -g @aluvia/mcp if the aluvia binary is not found, and npx aluvia help as a verification step. The @aluvia/mcp package is not part of this audit. npm packages can execute arbitrary code via preinstall/postinstall hooks and at runtime. A compromised or malicious package version could read environment variables, SSH keys, or cloud credentials and exfiltrate them.

The skill's primary purpose is circumventing Cloudflare, DataDome, PerimeterX, and Akamai Bot Manager — systems websites deploy specifically to prevent automated access. Equipping an AI agent with this capability significantly increases the risk of unauthorized scraping, ToS violations, credential stuffing, and account creation abuse at scale, with minimal friction.

The skill provides instant IP rotation using genuine AT&T, T-Mobile, and Verizon mobile IPs, making it trivial for an agent to evade per-IP rate limits, IP bans, and geographic restrictions. This capability is most useful for operations that websites have deliberately chosen to block — a signal of likely misuse potential when available to an autonomous agent.

The ALUVIA_API_KEY environment variable is read and used by the @aluvia/mcp binary, which is not audited here. If the binary has been compromised or contains malicious logic, it can silently transmit the API key (and any other accessible environment variables) to attacker infrastructure during normal operation.

When the agent starts a browser session, the aluvia daemon exposes a Chrome DevTools Protocol endpoint on localhost (e.g., http://127.0.0.1:38209). Any other local process — including other installed skills — that can reach this port gains full control of the browser session, including reading page content, injecting JavaScript, and intercepting network requests.

The prerequisites section instructs the agent to direct users to the Aluvia dashboard at https://dashboard.aluvia.io to create an API key. While not an injection attack, this creates a vendor dependency and means the agent proactively drives users toward a commercial subscription — a subtle influence on agent behavior beyond the stated scope.

The prerequisites section instructs the agent to silently install missing dependencies (npm install @aluvia/mcp, npm install playwright) as part of normal startup checks, without an explicit user approval step. This normalizes autonomous software installation by the agent.

The installation process consisted solely of a git sparse-checkout from github.com. No unexpected network connections, no process spawning outside git tooling, and no filesystem modifications outside the skill directory were observed.

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed only by the oathe audit infrastructure for baseline and post-install integrity checks. No access attributable to skill installation or skill content was detected.