ClawHub

brave-shim

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it persistently rewrites OpenClaw search behavior and runs unpinned external code, so it belongs in Review before use.

Install only if you are comfortable changing OpenClaw's installed search provider files and routing search queries through a locally cloned proxy that uses DuckDuckGo/DDGS. Review or pin the external brave_shim repository and Python dependencies, back up the OpenClaw provider files before patching, and make sure you know how to stop the local service and revert the configuration and file changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run(cmd, check=True, **kwargs):
    print(f"Running: {cmd}")
    r = subprocess.run(cmd, shell=True, **kwargs)
    if check and r.returncode != 0:
        sys.exit(f"Failed: {cmd}")
    return r
Confidence
85% confidence
Finding
r = subprocess.run(cmd, shell=True, **kwargs)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
venv_python = "python"  # fallback to system python

    print(f"Starting brave_shim from {shim_path}...")
    subprocess.run(f'"{venv_python}" "{shim_path}"', shell=True)

if __name__ == "__main__":
    main()
Confidence
98% confidence
Finding
subprocess.run(f'"{venv_python}" "{shim_path}"', shell=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill performs security-relevant actions including shell execution, cloning external code, reading and rewriting local application files, yet declares no permissions or safety boundaries. This is dangerous because it obscures the skill's true capabilities from reviewers and users, increasing the chance of silent modification of a local install and execution of untrusted third-party code.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script's documented purpose is to start `brave_shim`, but it accepts an arbitrary path from the command line and executes that Python file. In a skill context, this broadens the tool from a specific launcher into a generic code-execution primitive, which is dangerous if an agent or user can influence the argument.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to patch bundled OpenClaw JavaScript so requests intended for Brave's API are transparently redirected to a local proxy that emulates the Brave API using DuckDuckGo results. Modifying application distribution files in place without backup, integrity checks, rollback guidance, or a clear warning can break the install, bypass expected trust assumptions, and covertly alter how web search behaves.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The script clones code from a remote GitHub repository and installs packages from the network, but it provides only basic command logging and no explicit warning, pinning, or trust verification. In a skill whose purpose is to set up a third-party shim to bypass a missing API key, this increases supply-chain risk because users may execute unreviewed code and dependencies with local privileges.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal