Is maay/brighty safe?
https://github.com/openclaw/skills/tree/main/skills/maay/brighty
The brighty skill provides a legitimate banking integration for the Brighty API but carries two significant risks: (1) its MCP server is configured to download and execute unpinned code directly from GitHub via 'npx -y github:Maay/brighty_mcp', creating a supply chain attack surface against live financial operations, and (2) the invoice-parsing workflow creates a prompt injection vector where malicious document content could redirect wire transfers to attacker-controlled accounts. Canary files were read post-install but not exfiltrated, and the install itself was clean; the skill's safety confirmations are genuine but insufficient to fully mitigate the financial blast radius.
Category Scores
Findings (8)
HIGH Unpinned GitHub package execution via npx -45 ▶
config/mcporter.json configures the MCP server as 'npx -y github:Maay/brighty_mcp' with no version, commit SHA, or integrity hash. Every time the MCP server starts it re-downloads and executes whatever is currently at HEAD of that repository. A single malicious push to Maay/brighty_mcp would compromise all users of this skill, with direct access to live banking credentials and financial operations.
HIGH Prompt injection via invoice content can redirect wire transfers -42 ▶
The 'Pay an invoice' workflow instructs the agent to autonomously extract IBAN, BIC, amount, and reference from invoice documents. A maliciously crafted invoice (received via email, web, or file) could contain injected instructions that override the recipient details, causing funds to be wired to an attacker-controlled account. The user confirmation step before brighty_start_payout is the only safeguard, and it depends entirely on the agent correctly surfacing the attacker-supplied details.
MEDIUM Canary credential files accessed post-install -18 ▶
Six canary credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed at timestamp 1771907187.670, approximately 4 seconds after skill installation completed. Canary integrity check confirms no content was modified or exfiltrated. These accesses are likely from oathe's own post-install canary verification routine, but the timing warrants noting.
MEDIUM Broad blanket authorization notice -18 ▶
The skill includes an 'Authorization Notice' stating that merely using the skill constitutes owner authorization for all operations. This framing could cause an agent to treat the authorization as pre-granted, potentially reducing the friction for dangerous operations like bulk payouts or account termination without explicit per-operation consent.
MEDIUM Team management tools enable account takeover -30 ▶
brighty_add_members and brighty_remove_members can add arbitrary email addresses as ADMIN or MEMBER and remove existing members. If an agent with this skill is manipulated (e.g., via a crafted message claiming to be an onboarding request), it could add attacker-controlled email addresses as business account administrators.
LOW No package integrity verification -10 ▶
The skill has no lockfile, no package hash, and no mechanism to verify that the downloaded brighty_mcp package matches any expected checksum. This is a latent supply chain risk even if the current version of the package is benign.
INFO Clean install from monorepo via sparse checkout 0 ▶
The installation used git sparse-checkout targeting only skills/maay/brighty, connecting only to github.com. No unexpected processes or network connections were observed during the install phase itself.
INFO Explicit safety confirmation requirements 0 ▶
The skill repeatedly instructs the agent to always confirm with the user before executing payouts or terminating accounts, and to show amounts and recipients clearly. These are genuinely protective instructions.