ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Brave Search Old

Web search and content extraction via Brave Search API. Use for searching documentation, facts, or any web content. Lightweight, no browser required.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 22 · 0 current installs · 0 all-time installs
byJinho Suh@amabillis
fork of @steipete/brave-search (based on 1.0.1)
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
SKILL.md and the top-level description state 'Brave Search API' and 'Needs env: BRAVE_API_KEY'. The shipped code (search.js/content.js) performs HTML fetches against https://search.brave.com/search and arbitrary page URLs and does not read or use any BRAVE_API_KEY. The declared purpose (API-backed search) does not match the actual implementation (HTML scraping).
Instruction Scope
Runtime instructions tell the user to run npm ci and to provide BRAVE_API_KEY, but the scripts simply run locally, fetch search results and page HTML, and extract content to markdown. The code does not access local files or extra env vars, but it will fetch arbitrary external URLs (including user-supplied links), which can surface sensitive intranet content if run in a networked environment.
Install Mechanism
There is no automated install spec in the registry (instruction-only skill). The SKILL.md's one-time setup (npm ci) is consistent with the included package.json/package-lock.json. No downloads from untrusted URLs or extraction of remote archives are present.
!
Credentials
Metadata lists no required env vars, but SKILL.md asks for BRAVE_API_KEY. The code does not use any API key. Asking for a secret API key in documentation while not using it is disproportionate and misleading — users might supply credentials unnecessarily or assume the key is protecting requests when the implementation is scraping instead.
Persistence & Privilege
The skill is not always-enabled and requests no special persistence or privileges. It does network I/O but does not modify other skills or system-wide settings.
What to consider before installing
This package appears to be a headless scraper, not an official Brave Search API client despite the README claiming an API and an API key. Before installing or providing any secrets: (1) don't supply BRAVE_API_KEY unless you confirm the code actually uses it; (2) review the included search.js/content.js yourself — they perform HTTP fetches to search.brave.com and arbitrary URLs and will retrieve content from whatever network the agent runs in (this can leak internal pages if run on a machine with intranet access); (3) run in an isolated environment (or without network access) if you want to inspect behavior first; (4) prefer a documented API-backed client if you require authenticated Brave Search usage. If the maintainer can explain why the docs request an API key (or update docs to reflect scraping), the mismatch would be resolved.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk971m985w90ycsw3e35y8292dd830n27

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Brave Search

Headless web search and content extraction using Brave Search. No browser required.

Setup

Run once before first use:

cd ~/Projects/agent-scripts/skills/brave-search
npm ci

Needs env: BRAVE_API_KEY.

Search

./search.js "query"                    # Basic search (5 results)
./search.js "query" -n 10              # More results
./search.js "query" --content          # Include page content as markdown
./search.js "query" -n 3 --content     # Combined

Extract Page Content

./content.js https://example.com/article

Fetches a URL and extracts readable content as markdown.

Output Format

--- Result 1 ---
Title: Page Title
Link: https://example.com/page
Snippet: Description from search results
Content: (if --content flag used)
  Markdown content extracted from the page...

--- Result 2 ---
...

When to Use

  • Searching for documentation or API references
  • Looking up facts or current information
  • Fetching content from specific URLs
  • Any task requiring web search without interactive browsing

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…