Brave Search
steipete/brave-search
Web search and content extraction via Brave Search API. Use for searching documentation, facts, or any web content. Lightweight, no browser required.
Security scan
Security ScanVirusTotalVirusTotalBenignView report →OpenClawOpenClawSuspicioushigh confidenceThe skill's description and README claim a Brave Search API integration and an API key, but the shipped code actually scrapes Brave Search HTML and does not use any API key — that mismatch (plus an instruction to run npm ci) is inconsistent and worth asking the author or treating cautiously.Details ▾!Purpose & CapabilityThe skill is advertised as using the Brave Search API and the SKILL.md says it needs BRAVE_API_KEY, but the code (search.js) performs an HTTP GET against https://search.brave.com/search and parses HTML snippets — there is no use of an API key or any Brave API endpoints. The declared registry metadata also lists no required env vars, creating a clear mismatch between advertised purpose and actual capability.ℹInstruction ScopeSKILL.md tells the user to run `npm ci` and to set BRAVE_API_KEY, but runtime instructions in the code only fetch search.brave.com and arbitrary page URLs and output extracted content to stdout. The code does fetch arbitrary external URLs (search page and any target pages) which is consistent with a search/extraction tool but means the agent will download external HTML (and any content the user asks it to fetch). The explicit ask for BRAVE_API_KEY in the README is not reflected in the code.ℹInstall MechanismThere is no formal install spec in the registry (instruction-only), but SKILL.md instructs running `npm ci` in the skill directory. A package-lock.json and package.json are provided, and dependencies are pulled from the public npm registry — this is normal for Node tools but installs many third-party packages to disk (moderate risk compared to instruction-only skills). No download-from-unknown-URL or archive extraction is used.!CredentialsThe README requires BRAVE_API_KEY, but the code does not read any environment variables. Requesting an API key (a secret) is not justified by the implementation. Aside from this mismatch, the skill does not request other credentials or config paths.✓Persistence & PrivilegeThe skill does not request 'always: true' and uses the platform defaults. It does not modify other skills or system-wide settin…