Safe-Web
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (ignore-previous-instructions); human review is required before treating this skill as clean.
Safe-Web looks reasonable for its stated purpose. Before installing, review the PromptGuard dependency, consider using an isolated Python environment instead of --break-system-packages, be cautious about the optional sudo symlink and global tool-disabling config, and remember that searches and fetched URLs still go to external web services. ClawScan detected prompt-injection indicators (ignore-previous-instructions), so this skill requires review even though the model response was benign.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If applied globally, the agent may no longer use native web tools, which can change browsing behavior or break workflows that depend on them.
This is a disclosed, user-directed recommendation to change the agent's tool choices. It is aligned with the skill's safety purpose, but it is broader than a one-off command.
you should disable the native `web_fetch` and `web_search` tools ... This ensures the model **always** uses local prompt injection detection
Only disable native tools after testing Safe-Web, and keep the config change easy to reverse or scoped to projects where this policy is desired.
If pointed at private intranet, localhost, or metadata-service URLs, the tool may fetch data from locations the user did not intend to expose to the agent context.
The tool fetches arbitrary user/agent-supplied URLs and follows redirects. That is central to its purpose, but it is still broad network authority.
response = requests.get(url, headers=headers, timeout=timeout, allow_redirects=True)
Use explicit, intended URLs. For automated use, consider adding host allowlists or private-network blocking if internal endpoints should never be fetched.
Search queries consume the user's Brave API quota and are associated with the configured key.
Search uses a Brave Search API key from the environment and sends it to Brave's API. This is expected for the documented search feature and there is no evidence of logging or unrelated credential use.
api_key = os.environ.get('BRAVE_API_KEY') ... 'X-Subscription-Token': api_keyUse a limited Brave API key, set it only where needed, and rotate it if it may have been exposed.
A compromised or incompatible dependency could affect Safe-Web, and --break-system-packages may alter the system Python environment.
The documented installation depends on another workspace skill and unpinned Python packages, and optionally creates a system-wide symlink. These are visible setup steps, but they affect the local environment.
pip3 install --break-system-packages -e . ... pip3 install --break-system-packages requests beautifulsoup4 ... sudo ln -s ... /usr/local/bin/safe-web
Review the PromptGuard dependency, prefer a virtual environment or pinned dependency versions, and only create the sudo symlink if a system-wide command is needed.
Users might mistakenly assume search queries or fetched URLs never leave the machine.
The local-scanning claim is reasonable for PromptGuard analysis, but the wording can be overread because fetching URLs and Brave search necessarily contact remote services, which are disclosed elsewhere.
**Local scanning:** All detection happens locally; no data sent to third parties
Treat the no-third-party statement as applying to the scanning step only; avoid sensitive searches or URLs unless sharing them with the target site or Brave is acceptable.