ClawHub

Headless Brave Browser

v0.2.0

Headless web search and content extraction via the Brave Search API. Features exponential-backoff retry, circuit breaker fault isolation, bounded-concurrency...

2· 715·2 current·2 all-time
byFranklin Kelechi@kelexine
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: the code calls the Brave Search API using BRAVE_API_KEY, fetches page HTML, runs Readability/jsdom/turndown to extract Markdown, and exposes the documented CLI. Declared binaries (node, npm), node dependencies, and env var needs align with the stated functionality.
Instruction Scope
SKILL.md and the scripts confine behavior to searching the Brave API and fetching/parsing target web pages. However, content extraction will perform HTTP(S) requests to arbitrary URLs provided by the user or returned by Brave results — this can reach internal/intranet endpoints if the host running the skill has such network access (SSRF-style exposure). Logs go to stderr and stdout is reserved for output, which is appropriate.
Install Mechanism
Installation uses npm packages (@mozilla/readability, jsdom, turndown, etc.) via npm (package.json + package-lock present). These are mainstream libraries and the install path is a normal npm workflow, but 'npm ci' will write dependencies to disk and run any package lifecycle scripts present in dependencies — a moderate risk compared with an instruction-only skill. No arbitrary URL downloads or extract-from-unknown-host steps were found.
Credentials
Only BRAVE_API_KEY is required as a secret credential; other environment variables control timeouts, logging, and limits. The requested credential is proportional and necessary for Brave API access. The code does not access other undeclared secrets or config paths.
Persistence & Privilege
Skill is not always-enabled and does not request permanent platform-wide privileges. It does not modify other skills or system settings. Autonomous invocation remains possible (platform default), but there's no sign the skill escalates that capability.
Assessment
This skill appears to be what it says: a Node.js CLI that calls the Brave Search API and fetches page HTML to extract Markdown. Before installing: (1) Verify the skill source (the SKILL.md references a GitHub repo—confirm that matches the registry package) and only use a trusted BRAVE_API_KEY. (2) Be aware 'npm ci' will install and write dependencies to disk and could run package install scripts; inspect package-lock.json and dependency provenance if you require stricter supply-chain controls. (3) Content extraction issues: the tool will make outbound HTTP(S) requests to arbitrary URLs (both Brave API and target pages), so run it in a network-restricted or sandboxed environment if you want to avoid accidental access to internal services. (4) Limit secrets: only provide BRAVE_API_KEY and avoid giving other credentials to the environment where you run the skill. (5) If you need higher assurance, run the tool in an isolated container, review the included source files, and pin/verify dependency checksums before npm install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eczdxsjjeq41v8h3z0az2j581fbjx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
OSmacOS · Linux
Binsnode, npm
EnvBRAVE_API_KEY
Primary envBRAVE_API_KEY

Install

Nodenpm i -g @mozilla/readability
Nodenpm i -g jsdom
Nodenpm i -g turndown
Nodenpm i -g turndown-plugin-gfm

Comments