Brave Search MCP Server
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running the package executes code supplied outside this skill artifact.
The setup uses external npm/GitHub sources and does not pin a version. This is normal for an MCP server install, but users should verify the package and repository provenance before running it.
npm install -g @brave/brave-search-mcp-server ... npx ... @brave/brave-search-mcp-server ... git clone https://github.com/brave/brave-search-mcp-server
Verify that the npm package and GitHub repository are Brave-controlled, and consider pinning a trusted version instead of relying on the latest package.
The configured server can use the user's Brave Search API quota and any permissions associated with that key.
The MCP configuration expects a Brave API key. That is purpose-aligned for Brave Search, but it grants access to the user's API quota/account and is not declared in the registry metadata.
"env": { "BRAVE_API_KEY": "YOUR_API_KEY_HERE" }Use a dedicated Brave API key with the least necessary access, store it only in the MCP environment, and monitor usage or revoke it if no longer needed.
Sensitive search terms or precise locations included in prompts may be shared with Brave's API.
The skill sends search queries, and potentially locations for local search, to an external search API. This is the core purpose of the tool but is still a data-sharing boundary users should notice.
Provides comprehensive search capabilities ... Brave Search API ... `location` (optional) - City, address, coordinates
Avoid putting private personal, business, or precise location details into searches unless you intend to send them to the Brave Search API.