Is davidm413/bybit-order-book safe?

SKILL.md instructs the agent to execute 'pip install undetected-chromedriver selenium pandas numpy pyarrow --break-system-packages'. The --break-system-packages flag overrides Python's package isolation mechanism and forces installation into the system-level Python environment. This can silently overwrite existing system packages, downgrade security-sensitive libraries (e.g., cryptography, ssl wrappers), and break other system tools that depend on specific package versions. This creates persistent system-level changes that outlast the skill's use.

The skill requires undetected-chromedriver, a library engineered specifically to bypass browser fingerprinting, Cloudflare Turnstile/Bot Management, and automated browser detection systems. Unlike standard Selenium, this tool patches ChromeDriver at runtime to evade anti-automation defenses. Installing it creates a persistent capability on the user's system for running undetected browser automation. When an LLM agent controls this tool, it can operate a Chrome instance that bypasses security controls across any website, not just ByBit.

download_orderbook.py launches a full Chrome instance under agent control. The browser has download capabilities (Page.setDownloadBehavior CDP command), can execute arbitrary JavaScript, and is configured with Cloudflare evasion. A subsequent prompt injection attack (e.g., via a malicious ByBit page, or a follow-on user message) could redirect this agent-controlled browser to attacker-controlled URLs, POST local file contents via form submission, or harvest authentication cookies from any site visited.

The download script navigates Chrome to BYBIT_HISTORY_URL defined as a module-level constant. The select_dropdown_option, select_symbol, and set_date_range functions accept string parameters that control what the browser interacts with. If an attacker can modify the BYBIT_HISTORY_URL value (e.g., via a compromised package update, or by convincing the agent to set a different URL) the browser navigates to arbitrary external hosts with full Selenium automation capabilities.

The skill explicitly uses undetected-chromedriver to bypass Cloudflare bot protection on ByBit's website to download historical data. ByBit's ToS prohibits automated data collection without prior written consent. Users who run this skill risk: account suspension, IP-level bans, potential CFAA/computer fraud violations in some jurisdictions, and reputational harm. The skill normalizes ToS-violating behavior as a standard agent workflow.

The --break-system-packages installation modifies the host OS Python environment permanently. Unlike virtualenv-isolated dependencies, these changes affect all Python processes on the system. This is a disproportionate system modification for a skill claiming to be a data download/analysis tool and represents an overstep in the permissions the skill claims to need.

All five pip dependencies (undetected-chromedriver, selenium, pandas, numpy, pyarrow) are installed without version pins. Future updates to any of these packages could introduce breaking changes or, in the case of a supply chain compromise, malicious code that would execute under agent control. undetected-chromedriver in particular has a history of rapid version changes to stay ahead of detection.

By presenting --break-system-packages as a standard installation step without warning or explanation, the SKILL.md normalizes a dangerous practice. Agents following this instruction will apply the flag uncritically to future installations, potentially cascading this risky behavior beyond this skill's scope.

The skill's .clawhub/lock.json contains a reference to 'academic-research-hub' version 0.1.0, installed at timestamp 1770957475341 (approximately March 2026, after the skill's own publication date of February 2026). This is not mentioned anywhere in SKILL.md or other documentation. This may be a development environment artifact, but it suggests the skill was developed in an environment with another skill installed, raising questions about undisclosed cross-skill interactions.

The presence of academic-research-hub in the lock.json at a timestamp AFTER the skill's own publication date is temporally inconsistent and suggests possible testing or chaining scenarios not reflected in the public skill documentation. If the skill is designed to operate alongside academic-research-hub, these undisclosed interactions should be documented.

File accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were recorded at timestamps 1771911852 (pre-install baseline) and 1771911869 (post-install). These appear simultaneously at identical sub-second timestamps in both batches, consistent with the Oathe monitoring system's canary integrity check scripts rather than skill-originated access. No skill code references these file paths.