Brave Images
v1.0.1Search for images using Brave Search API. Use when you need to find images, pictures, photos, or visual content on any topic. Requires BRAVE_API_KEY environment variable.
⭐ 4· 2.8k·6 current·6 all-time
by@zats
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
SKILL.md clearly implements Brave image search (curl to api.search.brave.com with X-Subscription-Token). That capability is coherent with the name/description. However, the skill text requires a BRAVE_API_KEY environment variable while the registry metadata lists no required env vars and no primary credential — this mismatch is unexpected and disproportionate.
Instruction Scope
Runtime instructions are narrowly scoped to calling the Brave Images endpoint, parsing the JSON response, and presenting images. They do not request reading local files or unrelated environment variables. Note: the SKILL.md instructs the agent to 'send images directly' which implies fetching image bytes from external URLs (normal for an image search skill but worth being aware of because it causes outbound downloads).
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing will be written to disk by an installer. That is the lowest-risk installation model.
Credentials
Requesting a single BRAVE_API_KEY is proportionate to a Brave Search integration. The concern is that the manifest/registry metadata did not declare this required env var nor mark it as the primary credential — an inconsistency that could hide needed setup steps or cause confusion about where to place credentials. Verify what the agent platform expects and that the key will not be shared beyond this skill.
Persistence & Privilege
The skill is not marked always:true and uses normal model invocation. It does not request persistent system-wide changes or modify other skills' configs. No elevated persistence or privilege is requested.
What to consider before installing
Before installing: (1) Confirm the skill actually requires and will use BRAVE_API_KEY — the SKILL.md mentions it but the registry metadata does not; prefer skills whose metadata declares required env vars and primary credential. (2) Only supply a Brave API key you control and consider a restricted/monitoring-only key (not a broad production key). (3) Be aware the agent may fetch image bytes from external URLs (outbound downloads), which can expose your environment to remote content — if you need to limit risk, run in a sandbox or block automatic image fetching. (4) If you cannot verify the publisher/source (homepage unknown), ask the publisher to update the registry entry to list BRAVE_API_KEY as a required/primary credential or provide provenance; otherwise treat it cautiously. (5) If the metadata is corrected to explicitly require BRAVE_API_KEY and designate it as the primary credential, the mismatch concern would be resolved and my assessment would lean toward benign.Like a lobster shell, security has layers — review code before you run it.
latestvk972mpnv7epft6374fqmjf45d57zyq8e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.