ClawHub

alexey-brave-search

v1.0.0

Web search and content extraction via Brave Search API. Use for searching documentation, facts, or any web content. Lightweight, no browser required.

0· 282·0 current·0 all-time
by@alexeyvorobiev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description advertise 'Brave Search API' and SKILL.md says 'Needs env: BRAVE_API_KEY', yet the code (search.js) builds a public search URL (https://search.brave.com/search?q=...) and scrapes HTML; no API calls or API-key usage are present. Asking for an API key is not justified by the code.
!
Instruction Scope
SKILL.md instructs running npm ci and sets a BRAVE_API_KEY requirement, but metadata lists no required env vars and the scripts do not read any environment variables. The runtime instructions therefore diverge from the actual behavior in the included code.
Install Mechanism
No formal install spec in registry, but SKILL.md tells the user to run 'npm ci' — package.json and package-lock.json are included. Dependencies are common (jsdom, readability, turndown) pulled from npm (moderate risk). Nothing is downloaded from obscure URLs or executed from remote archives.
!
Credentials
The README asks for BRAVE_API_KEY although the skill's package metadata does not declare required env vars and the JS files never access process.env; requesting a secret that the code doesn't need is disproportionate and could trick users into supplying credentials unnecessarily.
Persistence & Privilege
Skill is not always-enabled, does not request system-wide config or modify other skills, and contains no autonomously privileged installation behavior. It only runs as-invoked.
What to consider before installing
Do not provide any API keys or secrets to this skill yet. The README claims a Brave Search API key is needed, but the code simply scrapes search.brave.com and does not read BRAVE_API_KEY — this mismatch could be sloppy documentation or an attempt to collect a key. If you want to use it: (1) inspect the code (search.js/content.js) yourself — they are present and readable — to confirm behavior; (2) run it in a sandboxed environment or throwaway container before granting network access; (3) if you expect an official Brave API integration, ask the author for proof (link to repo or changelog) or prefer a skill that actually uses the official API; (4) if you supplied a key already, rotate it. The owner/metadata also show minor inconsistencies (different owner in _meta.json vs registry owner), which is another reason to verify provenance.

Like a lobster shell, security has layers — review code before you run it.

latestvk970rnp4vz5zbyd311pns497t9820531

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments