Headless Brave Browser

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Brave Search and webpage extraction tool with expected outbound web requests and no evidence of hidden persistence, exfiltration, or destructive behavior.

Install only if you are comfortable sending search terms to Brave Search and fetching the URLs you ask it to process. Avoid confidential queries or internal-only URLs unless you are authorized, and be aware that query and URL metadata can appear in stderr logs depending on logging settings.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The usage and configuration sections describe search and content extraction but do not explicitly warn users that queries, URLs, and potentially fetched page data are sent to external services and remote websites. In a research/extraction skill, this omission is particularly important because users may pass sensitive internal URLs, confidential search terms, or proprietary content, leading to unintended data disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal