Back to skill

Security audit

Brave Search 1.0.1

Security checks across malware telemetry and agentic risk

Overview

This skill performs ordinary web search and page extraction, with documentation gaps but no evidence of hidden, destructive, or malicious behavior.

Install only if you are comfortable with a scraper-style Brave search tool. Do not provide BRAVE_API_KEY unless the maintainer updates the implementation or documentation, avoid secrets and private/internal URLs in searches, and treat extracted page text as untrusted web content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation exposes network-capable behavior but does not declare any explicit permissions or constraints around that access. In an agent setting, undeclared network capability can bypass user expectations and policy review, enabling external data exfiltration or unapproved outbound requests through search and content-fetch operations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose says Brave Search API-based search, but the behavior reportedly also includes arbitrary URL fetching and scraping Brave result pages directly. That mismatch is dangerous because reviewers and users may approve the skill for narrow search use while it actually has broader web retrieval capability, increasing the chance of SSRF-like misuse, policy bypass, or unexpected handling of untrusted content.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Phrases like 'any web content' make the skill eligible for a very broad set of prompts, which can cause over-invocation of a networked tool on requests that do not need external access. In agent environments, overly broad routing increases the risk of unnecessary data disclosure to third parties and use of untrusted external content in downstream reasoning.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger 'Any task requiring web search without interactive browsing' is so open-ended that the skill may be selected for many ordinary requests without meaningful safeguards. Because this skill performs outbound requests and ingests arbitrary page content, vague activation criteria expand exposure to malicious pages, prompt injection in fetched content, and unnecessary transmission of user queries.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation does not warn that user queries and requested URLs are sent to external services and that fetched page content is processed. This omission undermines informed consent and can lead users or orchestrators to pass sensitive queries, identifiers, or internal URLs into a tool that transmits them off-system.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal