ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Brave Api Search 3.0.2

v1.0.0

Real-time web search, autosuggest, and AI-powered answers using the official Brave Search API. Use for searching documentation, facts, current events, or any...

0· 128·1 current·1 all-time
by@liujm2012
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description, SKILL.md, skill.json, and the three Node scripts all align: they call Brave Search/Autosuggest/Answers endpoints and require BRAVE_SEARCH_API_KEY and BRAVE_ANSWERS_API_KEY. Nothing in the code asks for unrelated cloud credentials or system secrets.
Instruction Scope
Runtime instructions are narrowly scoped to calling Brave API endpoints and formatting results. The SKILL.md explicitly tells you to set BRAVE_* keys in a .env or shell; the scripts only read those env vars and make HTTPS calls to api.search.brave.com. There is no code that reads unrelated system files, other credentials, or transmits data to unknown endpoints.
Install Mechanism
There is no install/download step (lowest risk) and all source files are local. However the package contains Node scripts and the skill.json commands invoke node but the skill metadata in the registry lists no required binaries — you will need a Node runtime (and a Node >=18 environment for fetch availability) to run these scripts.
Credentials
Only two environment variables are required (BRAVE_SEARCH_API_KEY and BRAVE_ANSWERS_API_KEY), which matches the service being used. The env requirements are proportionate and are referenced in the code. No extra SECRET/TOKEN/PASSWORD variables are requested.
Persistence & Privilege
The skill does not request always:true or any system/persistent privileges. It does not modify system configuration or other skills. Autonomous invocation is allowed (platform default) but is not combined with other concerning flags.
Assessment
This skill is largely coherent and appears to only call Brave's official API. Before installing: (1) verify the skill author/owner because the source/homepage is unknown; (2) ensure you have a Node runtime (Node 18+ recommended for global fetch) since the skill runs local Node scripts; (3) provide only the two Brave API keys and keep them out of version control (.env is recommended); (4) review the small JS files yourself if you want more assurance (they only call api.search.brave.com and format results); (5) monitor your Brave dashboard for unexpected usage after enabling the skill. Note: there are minor metadata/version mismatches in the package (skill.json vs SKILL.md vs _meta.json) — this looks like sloppy packaging rather than malicious behavior, but it does reduce provenance confidence.
brave_answers.js:50
Environment variable access combined with network send.
brave_search.js:21
Environment variable access combined with network send.
brave_suggest.js:20
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f5nm5qbmvqrcvdrtyyjpdtn8323g9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments