ClawHub

Brave Search MCP Server

v1.0.0

Privacy-first Brave Search MCP Server offers AI-powered web, image, video, news, and local POI search with summarization and no tracking for agent use.

0· 883·5 current·5 all-time
bySiddharth Menon@buddhasource
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md consistently describes a Brave Search MCP server and shows expected behavior (web/image/video/news/local search, BRAVE_API_KEY). However the registry metadata lists no homepage/source and the skill's publisher is an opaque owner ID, which conflicts with the 'official' claim and reduces trust.
!
Instruction Scope
The runtime instructions instruct users/agents to install and run @brave/brave-search-mcp-server via npm or GitHub clone and to set BRAVE_API_KEY in the MCP client config. The SKILL.md is otherwise scoped to search operations and doesn't ask the agent to read unrelated files, but it references an env var (BRAVE_API_KEY) that the registry metadata did not declare—this mismatch is important and could lead to unexpected credential handling.
Install Mechanism
There is no installer in the registry (instruction-only), but the SKILL.md instructs use of npm (npm install -g) or git clone from GitHub. Installing an npm package or running code from GitHub is a normal way to provide this functionality, but it carries the standard risk of executing third-party code—verify the exact npm package and GitHub repo before running global installs.
!
Credentials
The skill requires an API key (BRAVE_API_KEY) according to its instructions, which is proportionate to a search API. However, the registry metadata declares no required env vars or primary credential—this inconsistency is a red flag because the agent or integrator might not be prompted to protect or scope the key appropriately.
Persistence & Privilege
The skill does not request permanent presence (always: false) and uses default autonomous invocation. It does not request system-wide config changes in the SKILL.md. No elevated persistent privileges are requested in the manifest.
What to consider before installing
This skill appears to be an integration for Brave Search and only needs a Brave API key, which is reasonable for the claimed purpose. However the registry entry lacks a homepage/source and does not declare the BRAVE_API_KEY even though the SKILL.md requires it—this mismatch reduces trust. Before installing or running any global npm commands, verify the package and repository: 1) Visit the referenced GitHub repo and npm package pages directly (copy-paste the URLs into your browser) and confirm the publisher is Brave and the code looks legitimate; 2) Check npm download counts, maintainers, and repository history; 3) Inspect the package repository source (especially startup scripts) for unexpected network calls or credential exfiltration; 4) If you proceed, create a scoped API key with minimal privileges and monitor usage; 5) Prefer installing in a sandboxed environment first rather than running global npm installs on a production machine. If you cannot confirm the package/repo identity, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk9751fsew170gkq7pxmk2ce3c581566n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments