ClawHub
Back to skill
v1.0.1

Brave Web Search

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:05 AM.

Analysis

This skill appears to do the disclosed Brave web search and answer lookups, using Brave API keys and sending search queries to Brave.

GuidanceThis looks safe to install if you intend to let the agent perform Brave web searches. Provide only the Brave API keys needed for this purpose, monitor API usage if quota matters, and avoid sending sensitive or confidential text as search queries.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
index.js
const key = process.env.BRAVE_SEARCH_API_KEY; ... headers: { ...baseHeaders, 'X-Subscription-Token': apiKey }

The skill uses environment-provided Brave credentials as API authentication headers. This is purpose-aligned, but it is still delegated account/API-key access.

User impactInstalling the skill means the agent can use the configured Brave API keys for searches and summaries, potentially consuming quota or exposing those keys if the local environment is compromised.
RecommendationUse Brave API keys intended for this purpose, keep them scoped and rotated as appropriate, and avoid sharing the environment with untrusted code.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
This skill only sends query strings to the Brave Search and Brave Summarizer APIs.

User queries are intentionally sent to an external provider. The data flow is disclosed and aligned with the skill purpose, but query text may still contain sensitive information.

User impactSearch terms or factual questions entered through the skill may be visible to Brave's API service and handled according to Brave's policies.
RecommendationDo not use the skill for secrets, private tokens, confidential business data, or sensitive personal information unless sending that text to Brave is acceptable.