Headless Brave Browser
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a purpose-aligned Brave Search and webpage extraction tool, with expected API-key use, external web requests, and untrusted webpage content returned to the agent.
Before installing, verify the source/homepage and the lockfile mismatch, run the documented npm install from the skill root, use a revocable Brave API key, avoid sensitive queries or internal URLs unless intended, and treat extracted webpage text as untrusted content.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or low-quality webpage could include text that tries to steer the agent away from the user's real task.
Fetched webpage content is printed into the skill output, where it may be consumed by an agent. Webpages can contain adversarial instructions even though this behavior is expected for a content-extraction tool.
console.log(`Content:\n${result.content}`);Treat all returned webpage content as untrusted data, not as instructions, and require user confirmation before acting on directions found in pages.
If invoked on private, internal, or unintended URLs, the tool could retrieve content from places the user did not mean to expose to the agent context.
The content extractor performs HTTP/HTTPS fetches for supplied or search-result URLs and follows redirects. This is core functionality, but it means requests originate from the user's environment.
const response = await fetch(url, { ... redirect: "follow", });Use it only for intended public or approved URLs, and avoid autonomous fetching of internal or sensitive endpoints unless that is explicitly desired.
The skill can use the user's Brave Search API quota and account entitlement.
The Brave API key is sent as the subscription token to Brave's search API. This is expected and disclosed, and there is no evidence of hardcoded keys or unrelated credential transmission.
"X-Subscription-Token": cfg.BRAVE_API_KEY,
Use a revocable Brave API key with appropriate scope or quota limits, and do not share logs or environments that expose the key.
The install may still work, but the package metadata looks stale or renamed, which can make provenance harder to verify.
The visible lockfile identity differs from the registry and package.json identity of brave-headless 0.2.0. Dependencies appear purpose-aligned and a lockfile is present, but the mismatch is a minor provenance/install hygiene issue.
"name": "brave-search", "version": "2.0.0"
Verify the homepage/source before installing and consider regenerating the lockfile so package metadata matches the published skill.
Sensitive search terms may be processed by Brave's API service.
Search queries are sent to the Brave Search API. This external provider flow is clearly aligned with the skill purpose, but users should understand that queries leave the local environment.
const url = new URL("https://api.search.brave.com/res/v1/web/search"); url.searchParams.set("q", searchQuery);Avoid sending confidential queries unless Brave's API terms and your environment policy allow it.