Vincent - Brave Search
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Brave Search skill, but it uses a runtime Vincent CLI, stores a scoped Vincent token, sends searches through Vincent/Brave, and can spend user credits per call.
Before installing, make sure you are comfortable with Vincent acting as a proxy for Brave Search, a local scoped token being stored, npx running the Vincent CLI, and the agent spending credits per search. Keep credit limits modest, monitor creditRemainingUsd, and revoke the secret if you no longer want the agent to use it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may spend Vincent credits when it decides a web or news search is useful.
The skill allows autonomous searches that consume paid credits. This is clearly disclosed and aligned with a search skill, but users should notice the cost-bearing tool use.
Model invocation is intentionally enabled... The agent is expected to search the web and news on its own... Credit is deducted automatically per call.
Use limited prepaid credit or a controlled payment setup, monitor the returned credit balance, and revoke the key if the agent searches more than desired.
A local Vincent token can be used for authorized data-source calls and credit consumption until revoked.
The skill creates and stores a reusable Vincent credential. This is expected for the integration and is described as scoped and revocable, but it is still account authority tied to paid service usage.
the agent creates a DATA_SOURCES secret at runtime by calling the Vincent API, which returns a scoped API key. The CLI stores the returned API key automatically during creation.
Claim ownership of the secret, protect the credential storage path, keep credit limits appropriate, and revoke the token from Vincent when no longer needed.
Future versions of the CLI package could behave differently from the version reviewed in the skill instructions.
The skill relies on executing an npm CLI package via npx using the latest version. This is disclosed and central to the skill, but unpinned runtime packages can change over time.
allowed-tools: Read, Write, Bash(npx:@vincentai/cli*) ... npx @vincentai/cli@latest secret list --type DATA_SOURCES
Prefer a pinned CLI version if possible, and only use the skill if you trust the Vincent CLI package and publisher.
Queries entered for web or news search may be visible to the Vincent service and upstream search provider handling the request.
Search queries are routed through Vincent and then to Brave. The provider flow is disclosed, but search terms may still reveal sensitive interests or private context.
All API calls go exclusively to `heyvincent.ai` over HTTPS/TLS. The Vincent server then calls the Brave Search API. The agent does not contact Brave directly.
Avoid sending secrets, private identifiers, or confidential business details as search queries unless that sharing is acceptable.