Brave Search
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill mostly performs web search and page extraction, but its documentation misleadingly asks for a Brave API key and claims API usage while the code scrapes Brave's public search page instead.
Review this skill before installing. It appears to perform straightforward web search and extraction, but do not provide a Brave API key unless the implementation is corrected or clarified. Expect your queries and requested URLs to be sent to Brave or target websites, and treat extracted page content as untrusted reference text.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may unnecessarily provision or expose a Brave API key even though the included implementation does not use it.
The skill asks for a Brave API credential, but the registry metadata declares no required env vars or primary credential, and the provided search.js source does not reference BRAVE_API_KEY or process.env.
Needs env: `BRAVE_API_KEY`.
Do not provide a Brave API key until the skill either implements and declares official API-key usage or removes the credential requirement from the instructions.
Users may believe they are using an official API integration with expected API behavior, limits, and terms, when the artifact actually performs HTML scraping.
The code fetches and parses Brave's public HTML search page, which conflicts with SKILL.md's claim that the skill uses the 'Brave Search API'.
const url = `https://search.brave.com/search?q=${encodeURIComponent(query)}`; ... const snippets = doc.querySelectorAll('div.snippet[data-type="web"]');Update the documentation to accurately disclose HTML scraping, or change the implementation to use Brave's official API and declared credential handling.
A fetched page could contain misleading instructions or prompt-injection text that should not be treated as user or system instructions.
The skill can fetch arbitrary web page content and print it as markdown for the agent to read; that content is untrusted external text.
./search.js "query" --content # Include page content as markdown
Use fetched content as reference material only, and keep higher-priority user/system instructions separate from web page text.
Installing the skill will download third-party npm dependencies despite the registry metadata not advertising an install mechanism.
The skill requires a user-directed npm dependency install even though the registry install spec says there is no install spec.
Run once before first use: cd ~/Projects/agent-scripts/skills/brave-search npm ci
Review the package files before installation, and the publisher should declare the npm setup step in metadata/install specifications.