bitbucket-browser-fetch
Warn
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: MEDIUMNO_CODECOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [NO_CODE]: The main script
scripts/bitbucket-browser-fetch.jsdepends on a local modulescripts/atlassian-browser.jsvia arequirestatement. This file is not included in the skill package, which creates a significant audit gap as it contains the logic for browser automation and sensitive cookie extraction. - [COMMAND_EXECUTION]: The script dynamically generates a bash script (
clone-ssh.sh) using string interpolation of repository data and writes it to the file system with executable permissions (0o755). While intended for user convenience, the creation of executable code based on remote metadata is a potential security risk. - [CREDENTIALS_UNSAFE]: The skill is designed to programmatically harvest Bitbucket authentication cookies from a running browser instance using the Chrome Remote Debugging Port. This method of credential retrieval bypasses standard API token management and provides the script with the same level of access as the user's browser session.
Audit Metadata