Brave Rotator
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Searches may use any configured Brave API key and may quickly spend free-tier or paid quota if invoked often.
The skill explicitly rotates across multiple Brave API keys and retries after rate-limit responses. This is disclosed and central to the purpose, but it can consume quotas across all supplied keys.
automatic key rotation across multiple API keys to maximize free tier limits ... avoid rate limits
Use only keys you intend to dedicate to this skill, monitor Brave API usage, and ensure this rotation behavior is acceptable for your account and use case.
Anyone who can read the state file may be able to see or recover the configured Brave API keys, and logs reveal a key prefix.
The script reads Brave API keys from the environment and stores per-key state using the actual key value as the state-map key. This is purpose-aligned credential use, but it persists sensitive key material locally.
STATE_FILE = Path(os.environ.get("BRAVE_KEY_STATE_FILE", Path.home() / ".brave_key_state.json")) ... raw = os.environ.get("BRAVE_API_KEYS", "") ... state["keys"].setdefault(key, {})Use dedicated low-privilege Brave keys, keep the state file private, avoid sharing logs/state files, and consider setting BRAVE_KEY_STATE_FILE to a protected path.
Installer or registry views may understate the credential setup needed before the skill works.
The registry metadata does not declare the Brave API key environment variable even though the skill documentation and code require BRAVE_API_KEYS. The requirement is disclosed in SKILL.md, so this is a packaging/disclosure gap rather than hidden behavior.
Required env vars: none; Env var declarations: none; Primary credential: none
Review SKILL.md before use and configure BRAVE_API_KEYS intentionally; publishers should declare this environment variable and credential requirement in metadata.