ClawHub

Brave Api Search 3.0.2

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Brave Search API skill that discloses its API-key and network use, with normal privacy cautions for sending queries to a third party.

Install only if you are comfortable sending search queries and answer prompts to Brave using your Brave API keys. Keep keys in environment variables or a local uncommitted .env file, and do not include secrets, private internal data, or regulated personal information in queries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill explicitly requires environment variables containing API keys and performs outbound network requests, yet the metadata does not declare corresponding permissions/capabilities. This is a real transparency and policy issue because operators may not realize the skill can read secrets and transmit data externally, increasing the chance of unintended secret exposure or unauthorized external calls.

External Transmission

Medium
Category
Data Exfiltration
Content
## Security & Packaging Notes

- This skill only calls Brave official endpoints under `https://api.search.brave.com/res/v1`.
- It requires exactly two env vars: `BRAVE_SEARCH_API_KEY` and `BRAVE_ANSWERS_API_KEY` (keep them in `.env`, not inline in commands/chats).
- It does not request persistent/system privileges and does not modify system config.
- It is source-file based (three local Node scripts), with no external install/download step.
Confidence
81% confidence
Finding
https://api.search.brave.com/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal