ClawHub
Back to skill
v0.2.0

Headless Brave Browser

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:51 AM.

Analysis

This skill appears to do what it says: use a Brave API key for web search and fetch requested web pages for content extraction.

GuidanceBefore installing, confirm you trust the package source, provide a dedicated Brave Search API key, and remember that fetched web-page content is untrusted input that should not be treated as instructions.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/content-fetcher.js
const response = await fetch(url, { ... redirect: "follow" });

The skill fetches HTTP/HTTPS URLs for content extraction, which is central to its purpose but gives the agent network-fetch capability.

User impactThe agent may retrieve and summarize web pages; content from those pages could include untrusted or misleading instructions.
RecommendationTreat extracted web content as untrusted reference material, especially before acting on instructions found inside pages.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
Run once before first use:

```bash
cd <skill-root>
npm ci
```

The skill requires installing npm dependencies, which is expected for this Node.js implementation and is disclosed in setup instructions.

User impactInstalling the skill will install third-party npm packages needed for HTML parsing and Markdown conversion.
RecommendationInstall from a trusted source and prefer the included lockfile when running npm ci.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/search.js
"X-Subscription-Token": cfg.BRAVE_API_KEY

The skill uses the Brave API key as an authentication token when calling the Brave Search API, matching the disclosed requirement.

User impactThe skill can spend or use quota associated with your Brave Search API key when searches are run.
RecommendationUse a dedicated Brave API key with appropriate quota limits and do not share logs or outputs that might reveal credentials.