Is brave/brave-search-mcp-server safe?
https://github.com/brave/brave-search-mcp-server
The brave/brave-search-mcp-server is an official Brave Software release providing web, image, video, news, local, and AI summarizer search via Brave's API. The codebase is clean TypeScript with no prompt injection content, no hooks into sensitive file paths, no data encoding tricks, and no unexpected network destinations. The only notable behaviors are a benign prepare lifecycle script (Prettier + tsc) and the inherent privacy characteristic of any hosted search API: all user queries leave the local environment bound for api.search.brave.com.
Category Scores
Findings (4)
LOW prepare lifecycle hook runs code at npm install -8 ▶
The prepare script in package.json executes Prettier and tsc whenever npm install is run. While the content is benign, any code execution at install time warrants disclosure. There are no preinstall or postinstall hooks.
LOW All search queries transmitted to Brave API -5 ▶
This is expected behavior for a search MCP server, but users should understand that every query routed through this tool is sent to Brave's search API with the configured API key. The API key itself is transmitted as an HTTP header on each request.
INFO Canary files accessed only by audit infrastructure, not skill code 0 ▶
The filesystem events show accesses to /home/oc-exec/.env, .ssh/id_rsa, .aws/credentials, etc. at timestamp 1771787024 — before the git clone began at 1771787030. These accesses originate from the sudo/monitoring setup process. Canary integrity check confirmed no exfiltration. The skill source code contains no logic to read files outside its working directory.
INFO SKILL.md is empty — no prompt injection surface 0 ▶
The skill contains no SKILL.md content whatsoever. There are no system prompt modifications, persona overrides, hidden instructions, or obfuscated unicode in any of the skill's files.