Is bertxtrella/aluvia-mip safe?

The skill's core mechanism proxies every HTTP/HTTPS request the agent makes through Aluvia's residential proxy infrastructure using Playwright with authenticated proxy credentials. This gives Aluvia full visibility into all URLs visited, page content, form submissions, authentication tokens, and session cookies. This is the intended design — not a side effect or optional feature. Any user of this skill implicitly consents to third-party traffic interception for the duration of each session.

Installation instructions explicitly direct the agent to run 'npm install -g @aluvia/sdk', which downloads and globally installs an npm package from the public registry with no version pinning or integrity verification. npm packages can include preinstall and postinstall lifecycle scripts that execute arbitrary shell commands at install time with the invoking user's privileges. A malicious or compromised package version could achieve persistent code execution on the host.

Every call to 'aluvia-sdk open' transmits ALUVIA_API_KEY to api.aluvia.io. The skill's recommended workflow also creates reusable 'connections' that store proxy_username and proxy_password on Aluvia's servers. These credentials are returned to the agent in plaintext JSON and intended to be retained across sessions, creating a persistent external credential dependency.

The skill's read_when conditions and description explicitly target CAPTCHA bypass, rate limit evasion, and scraping of 'protected websites.' These capabilities directly enable abusive automation at scale — credential stuffing, data harvesting, ad fraud, and scraping in violation of website terms of service. An agent equipped with this skill can be directed to perform large-scale abuse with effective IP anonymization via residential proxies.

The skill promotes npx as a zero-install path ('npx aluvia-sdk help'). npx resolves to the latest published version at execution time without locking, meaning the package run today may differ from the package run tomorrow. A malicious maintainer or npm supply chain compromise could introduce malicious code that executes the next time the agent uses npx aluvia-sdk.

The headless browser launched by aluvia-sdk runs as a background daemon process that persists after the shell session closes. The daemon retains active session state (cookies, localStorage, auth tokens) in memory and writes operational logs to /tmp/aluvia-sdk/cli.log. Failure to call 'aluvia-sdk close' leaves orphan processes and sensitive session artifacts on disk indefinitely.

The skill pattern 'CDP_URL=$(aluvia-sdk open ... | jq -r .cdpUrl)' passes the returned URL directly to browser automation tools without validation. The cdpUrl is a localhost endpoint that grants full Chrome DevTools Protocol control over the browser. A compromised aluvia-sdk binary, malicious PATH entry, or SDK update could return a cdpUrl pointing to an adversarial browser instance, redirecting all subsequent agent browser operations.

The skill installation performed a standard sparse git clone from github.com. The only external network connection was to 140.82.121.4:443 (github.com). No unexpected processes were spawned, no filesystem modifications occurred outside the skill directory, and connection state before and after installation was equivalent. Credential file reads observed in auditd are attributable to oathe's own pre/post canary integrity checks (CLOSE_NOWRITE access pattern, matching both pre-install and post-install timestamps).