ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Taizi Brave Search

Web search and content extraction via Brave Search API. Use for searching documentation, facts, or any web content. Lightweight, no browser required.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 23 · 1 current installs · 1 all-time installs
by@fresh3
fork of @steipete/brave-search (based on 1.0.1)
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
SKILL.md and description claim 'Brave Search API' and say 'Needs env: BRAVE_API_KEY', but the packaged code (search.js) performs HTTP GET requests to https://search.brave.com/search?q=... and parses the HTML; there is no use of an API key or an API endpoint. Asking for an API key in docs is unexplained and disproportionate to the code.
Instruction Scope
Runtime instructions are concrete (run npm ci in the skill folder and call the included scripts). They instruct fetching external URLs (Brave search and arbitrary pages returned by results or provided to content.js) which is consistent with the stated purpose, but the SKILL.md's API-key requirement is misleading. The scripts fetch and parse arbitrary web pages — expected for this skill but potentially sensitive if run against internal URLs.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md tells users to run 'npm ci' in the skill directory. That will pull many dependencies from the npm registry (package-lock.json included). This is standard for Node projects but carries network/install risk (moderate) compared with an instruction-only skill with no npm install.
!
Credentials
Registry metadata declares no required env vars, but SKILL.md claims BRAVE_API_KEY is needed. The code does not read any environment variables. Requesting an API key in docs without using it is disproportionate and misleading; do not provide unrelated secrets.
Persistence & Privilege
always is false and the skill does not request elevated or persistent platform privileges, nor does it modify other skills or agent-wide settings. It runs as an on-demand script and prints output to stdout.
Scan Findings in Context
[no-findings] expected: Static regex scanner reported no suspicious patterns. That does not negate the documented/code mismatch: the chief issue is incoherent documentation (API key claim) rather than an obvious malware signature.
What to consider before installing
This skill's code scrapes Brave's public search HTML and fetches page content — that matches the 'search and extract' purpose. However, SKILL.md incorrectly says it uses the Brave Search API and needs BRAVE_API_KEY while the code never reads an API key. Do not provide any unrelated secrets (API keys) to this skill. If you plan to install/run it: (1) verify the source/trustworthiness (the registry owner and _meta.json disagree), (2) review the included code (you already have) and confirm you accept that it performs network requests to arbitrary URLs, (3) be cautious running 'npm ci' as it will install dependencies from npm, and (4) avoid running it in environments where fetching internal or sensitive URLs could leak data. If you need a skill that uses a Brave Search API key, ask the author for an updated version that actually uses the API and documents required env vars correctly.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk971tg12m4xjf1e0xpvtzejm49831cn9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Brave Search

Headless web search and content extraction using Brave Search. No browser required.

Setup

Run once before first use:

cd ~/.openclaw/skills/brave-search
npm ci

Needs env: BRAVE_API_KEY.

Search

./search.js "query"                    # Basic search (5 results)
./search.js "query" -n 10              # More results
./search.js "query" --content          # Include page content as markdown
./search.js "query" -n 3 --content     # Combined

Extract Page Content

./content.js https://example.com/article

Fetches a URL and extracts readable content as markdown.

Output Format

--- Result 1 ---
Title: Page Title
Link: https://example.com/page
Snippet: Description from search results
Content: (if --content flag used)
  Markdown content extracted from the page...

--- Result 2 ---
...

When to Use

  • Searching for documentation or API references
  • Looking up facts or current information
  • Fetching content from specific URLs
  • Any task requiring web search without interactive browsing

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…