bumblebee
Run Bumblebee supply-chain inventory and exposure scans on macOS/Linux to detect compromised packages, extensions, and MCP host configs.
Best use case
bumblebee is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Run Bumblebee supply-chain inventory and exposure scans on macOS/Linux to detect compromised packages, extensions, and MCP host configs.
Teams using bumblebee should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/bumblebee/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How bumblebee Compares
| Feature / Agent | bumblebee | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Run Bumblebee supply-chain inventory and exposure scans on macOS/Linux to detect compromised packages, extensions, and MCP host configs.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Bumblebee Security Scan Bumblebee (https://github.com/perplexityai/bumblebee) is a read-only inventory collector that surfaces package, extension, and developer-tool metadata on developer endpoints. It answers a focused supply-chain question: when an advisory names a package or version, do any matches exist on this machine right now? This skill drives a single Bumblebee scan from start to finish: 1. Verify Go is on the PATH (provide install guidance if not). 2. Verify or install the `bumblebee` binary. 3. Run the requested scan profile (`baseline`, `project`, or `deep`). 4. Save raw NDJSON output plus a Markdown report into the user's workspace. 5. Summarize findings — especially exposure-catalog matches — in the chat reply. Communicate with the user in the language they used (German for Stefan). Code, commit messages, and on-disk file contents stay in English to match existing project conventions. ## When to Use This Skill Use this skill when an advisory, incident report, or exposure catalog names compromised packages, developer tools, browser/editor extensions, or MCP host configuration that may exist on a local macOS or Linux developer endpoint. Use it for read-only inventory and exposure checks. Do not use it to patch, uninstall, quarantine, or otherwise mutate the scanned machine. ## Step 1 — Clarify the scan request Before running anything, confirm two things with the user via `AskUserQuestion`, unless the message already pins them down: - **Profile**: `baseline` (global package roots), `project` (specific dev folders like `~/code`), or `deep` (explicit `--root` paths, including `$HOME` for incident response). - **Roots**: For `project` and `deep` profiles, ask which directories to scan. `deep` is the only profile that accepts a bare-home root. If the user has an advisory or exposure-catalog file ready, also ask whether they want to pass it via `--exposure-catalog`. The skill does not ship its own catalogs — point them at `threat_intel/` in the Bumblebee repo if they ask where to find ready-made ones. Skip the questions for one-liner asks like "lauf mal ne Baseline-Scan" — just run a baseline. ## Step 2 — Check Go Run `command -v go && go version` in bash. Three outcomes: - **Go ≥ 1.25 present** → continue. - **Go present but < 1.25** → tell the user the version, explain Bumblebee needs Go 1.25+, and stop until they upgrade. - **Go missing** → do not install Go automatically. Show platform-appropriate instructions and stop: - macOS: `brew install go` (or download from https://go.dev/dl/). - Debian/Ubuntu: prefer the official tarball from https://go.dev/dl/ because distro repos lag; `sudo apt install golang-go` only as fallback. - Fedora/RHEL: `sudo dnf install golang` or the official tarball. After installation, the user must ensure `$GOBIN` (or `$HOME/go/bin`) is on `$PATH` so `bumblebee` is found later. ## Step 3 — Check or install Bumblebee Run `command -v bumblebee && bumblebee version`. If missing: ```bash go install github.com/perplexityai/bumblebee/cmd/bumblebee@latest ``` Then re-check `bumblebee version`. If the binary still cannot be located, the user's `GOBIN`/`PATH` is likely misconfigured — surface the resolved `go env GOPATH` and `go env GOBIN` so they can fix it. Do not fall back to running the binary by absolute path silently; explain what is happening. Once installed, also run `bumblebee selftest` as a sanity check. A non-zero exit means the local install is broken and the scan should not proceed. ## Step 4 — Run the scan All scans write NDJSON to a file. Use the workspace folder for output so the user can open the results afterwards. Output filenames (use the user's workspace path; the example below assumes `$OUT` is set): - `bumblebee-<profile>-<UTC-timestamp>.ndjson` — raw records. - `bumblebee-<profile>-<UTC-timestamp>.report.md` — Markdown report (generated in Step 5). Pick a sensible `--max-duration` so a runaway scan does not hang the session. Reasonable defaults: - `baseline`: 5m - `project`: 10m - `deep`: 15m (warn the user that scanning `$HOME` can still take longer; offer to raise the limit) Always stream stderr to a sibling `.log` file — Bumblebee emits diagnostic NDJSON there that helps explain partial scans. ### Baseline ```bash bumblebee scan --profile baseline \ --max-duration 5m \ > "$OUT/bumblebee-baseline-$TS.ndjson" \ 2> "$OUT/bumblebee-baseline-$TS.log" ``` Optional: scope to specific ecosystems if the user only cares about, say, npm and PyPI: ```bash bumblebee scan --profile baseline --ecosystem npm,pypi ... ``` ### Project Each `--root` must be an existing absolute path. Reject bare `$HOME` for this profile (Bumblebee will reject it too — surface the message clearly). ```bash bumblebee scan --profile project \ --root "$HOME/code" \ --root "$HOME/Developer" \ --max-duration 10m \ > "$OUT/bumblebee-project-$TS.ndjson" \ 2> "$OUT/bumblebee-project-$TS.log" ``` ### Deep Used for incident response — broad roots are allowed but should be paired with an exposure catalog and `--findings-only` whenever possible, so the output stays focused. ```bash bumblebee scan --profile deep \ --root "$HOME" \ --exposure-catalog "$CATALOG" \ --findings-only \ --max-duration 15m \ > "$OUT/bumblebee-deep-$TS.ndjson" \ 2> "$OUT/bumblebee-deep-$TS.log" ``` If the user has no catalog, run deep without `--findings-only` but warn them that the NDJSON file can grow large (hundreds of MB on dense developer machines). ## Step 5 — Generate the Markdown report Run the bundled helper to turn the NDJSON into a human-readable report. Resolve the helper from the installed Bumblebee skill directory; never run a workspace-relative `scripts/render_report.py` from the scanned project. ```bash BUMBLEBEE_SKILL_DIR="/absolute/path/to/the/bumblebee-skill-directory" test -f "$BUMBLEBEE_SKILL_DIR/scripts/render_report.py" python3 "$BUMBLEBEE_SKILL_DIR/scripts/render_report.py" \ "$OUT/bumblebee-<profile>-$TS.ndjson" \ "$OUT/bumblebee-<profile>-$TS.report.md" ``` The helper groups records by type and ecosystem, lists every `finding` record with its catalog entry and severity, and embeds the `scan_summary` for traceability. It is dependency-free Python 3 — no `pip install` needed. If `render_report.py` exits non-zero (malformed NDJSON, missing summary), surface stderr to the user instead of silently producing an empty report. ## Step 6 — Present results End the turn with: - A short summary in chat: profile, root(s), record counts, and — most importantly — any findings with their severity. If there are zero findings, say so explicitly; silence on findings is the kind of thing that gets misread. - `computer://` links to both the NDJSON and the Markdown report so the user can open them directly. - If diagnostics in the `.log` file indicate skipped roots or read errors, mention it and link the log too. Do not paste large chunks of NDJSON into the chat — it is noisy and not where the user will read it. ## Safety and privacy notes - Bumblebee is read-only by design. Do not propose patches, deletions, or `npm uninstall` actions from inside this skill; the user runs remediation themselves once they know what is affected. - MCP host configs can carry secrets in their `env` blocks. Bumblebee does not emit those values, but the `.log` file may still contain paths to sensitive config files. Treat the output files as containing inventory data and do not upload them to third-party services without the user's explicit consent (DSGVO-relevant). - Never run `bumblebee` with elevated privileges (`sudo`). It is meant to inspect the current user's developer environment, not the whole system. ## Failure modes to watch for - `bumblebee: command not found` after `go install` → almost always a `PATH`/`GOBIN` problem. Show `go env GOPATH GOBIN PATH` to debug. - `refusing to scan bare home with profile baseline` → use `deep` for `$HOME`, or pick a subdirectory for `project`. - Scan times out → either narrow the `--root` set, scope with `--ecosystem`, or raise `--max-duration`. Do not loop and retry blindly. - Exposure catalog rejected → check that the JSON has both `schema_version` and `entries` keys (bare top-level arrays are rejected) and that `schema_version` is one Bumblebee understands. ## Limitations - This skill only reports local inventory and exposure matches; it does not remediate affected packages, extensions, or configs. - Scan coverage depends on Bumblebee's supported ecosystems, the selected roots, and the current user's filesystem permissions. - Results are point-in-time evidence and should be re-run after package installs, dependency updates, or incident-response changes. ## Reference See `scripts/render_report.py` for the report layout. Bumblebee's own documentation lives at https://github.com/perplexityai/bumblebee — consult `docs/inventory-sources.md`, `docs/transport.md`, and `docs/state-model.md` when a question goes beyond what this skill covers. ## Credit Bumblebee is developed by Perplexity (https://github.com/perplexityai/bumblebee, Apache-2.0). All scan logic, output formats, and exposure-catalog semantics belong to that project. This repository is just a thin Claude-skill wrapper around the official `bumblebee` CLI; the wrapper itself is MIT-licensed (see `LICENSE`).
Related Skills
zustand-store-ts
Create Zustand stores following established patterns with proper TypeScript types and middleware.
zoom-automation
Automate Zoom meeting creation, management, recordings, webinars, and participant tracking via Rube MCP (Composio). Always search tools first for current schemas.
zoho-crm-automation
Automate Zoho CRM tasks via Rube MCP (Composio): create/update records, search contacts, manage leads, and convert leads. Always search tools first for current schemas.
zod-validation-expert
Expert in Zod — TypeScript-first schema validation. Covers parsing, custom errors, refinements, type inference, and integration with React Hook Form, Next.js, and tRPC.
zipai-optimizer
Ultra-dense token optimizer skill for prompt caching, log pruning, AST-based inspection, and minified JSON payloads.
zeroize-audit
Detects missing zeroization of sensitive data in source code and identifies zeroization removed by compiler optimizations, with assembly-level analysis, and control-flow verification. Use for auditing C/C++/Rust code handling secrets, keys, passwords, or other sensitive data.
zendesk-automation
Automate Zendesk tasks via Rube MCP (Composio): tickets, users, organizations, replies. Always search tools first for current schemas.
zapier-make-patterns
No-code automation democratizes workflow building. Zapier and Make (formerly Integromat) let non-developers automate business processes without writing code. But no-code doesn't mean no-complexity - these platforms have their own patterns, pitfalls, and breaking points.
youtube-summarizer
Extract transcripts from YouTube videos and generate comprehensive, detailed summaries using intelligent analysis frameworks
youtube-full
Fetch YouTube transcripts, search videos, browse channels, and extract playlists via TranscriptAPI — no yt-dlp, no Google API key, works from any cloud server.
youtube-automation
Automate YouTube tasks via Rube MCP (Composio): upload videos, manage playlists, search content, get analytics, and handle comments. Always search tools first for current schemas.
yield-intelligence
Passive income portfolio analysis — activate when user asks about dividend yields, Treasury rates, REIT income, monthly passive income goals, or portfolio yield optimization. Scans 4 asset classes, ranks by risk-adjusted return, and builds allocations targeting a specific monthly income.