Brave Api Setup
ReviewAudited by ClawScan on May 1, 2026.
Overview
This skill is coherent for Brave Search setup, but it will reveal a Brave API key from your logged-in browser session and save it into OpenClaw configuration.
This appears safe for its stated purpose if you really want OpenClaw configured for Brave Search. Before using it, be comfortable letting the agent reveal your Brave API key in the logged-in browser and write it into ~/.openclaw/openclaw.json; protect or rotate the key if it is exposed unexpectedly.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent will handle a real API credential for the user's Brave Search account; misuse of that key could affect account API usage.
The workflow uses the user's authenticated browser session to reveal and retrieve a Brave Search API key.
"User must be logged in (openclaw browser profile)" ... "The result field contains the exact API key."
Run this only when you intentionally want Brave Search configured, verify the browser is on the Brave API dashboard, and rotate the key if you believe it was exposed.
OpenClaw's persistent web search configuration will be changed, which is expected for the setup task but should be user-intended.
The included helper directly modifies the user's OpenClaw configuration file to store the Brave API key.
const CONFIG_PATH = path.join(process.env.HOME, '.openclaw', 'openclaw.json'); ... config.tools.web.search.apiKey = apiKey; ... fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2));
Confirm you want this config change before running the helper, and consider backing up or reviewing ~/.openclaw/openclaw.json afterward.
Users should not interpret the statement as a guarantee that the secret is invisible to the agent runtime or local command handling.
The wording is aimed at avoiding transcription errors, but the workflow still handles the exact key in tool results and passes it into a command or config patch.
"The key never passes through LLM text generation." ... "node <skill_dir>/scripts/apply-api-key.js \"<extracted-key>\""
Treat the Brave API key as sensitive; prefer a safer secret-handling path such as stdin or a trusted config patch mechanism when available.