ClawHub

yee-brave-search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Brave web-search helper, with privacy and permission-disclosure gaps but no evidence of hidden or harmful behavior.

Install only if you are comfortable sending search terms to Brave Search using your own API key. Avoid using it for secrets, credentials, private documents, or sensitive personal information, and prefer an updated version that explicitly declares network and environment-variable requirements.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation advertises functionality that requires environment variable access and outbound network access, but it does not declare those permissions in the manifest metadata. This creates a transparency and policy-enforcement gap: users or platforms may approve the skill without understanding its real capabilities, increasing the risk of unintended data access or network exfiltration.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The usage text says the agent can be asked to 'search for anything,' which is an overly broad trigger likely to match many ordinary user requests. In agent environments, broad invocation language can cause the skill to run unexpectedly and send prompts or user queries to an external service without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes web search functionality but does not warn that user queries will be transmitted to the Brave Search API, which is a third-party external service. This omission can expose sensitive user inputs, internal prompts, or confidential search terms to an outside provider without informed consent.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal