Is kelexine/brave-headless safe?

https://github.com/openclaw/skills/tree/main/skills/kelexine/brave-headless

88
SAFE

kelexine/brave-headless is a well-engineered, clearly-documented Brave Search API wrapper with no evidence of malicious intent. The source code does exactly what the SKILL.md claims: it queries Brave Search and optionally fetches page content using Mozilla Readability. No credential harvesting, hidden network beaconing, prompt injection directives, lifecycle exploit scripts, or canary file tampering was detected. The principal residual risks are inherent to any web-fetching skill: an agent could be directed to fetch internal network endpoints (SSRF), and fetched page content injected into the agent's context could carry adversarial instructions authored by the page operator.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

MEDIUM SSRF via unrestricted URL fetching -15

content-fetcher.js and content.js accept any http/https URL and will fetch it, returning content to the agent. There is no blocklist for RFC-1918 addresses, link-local ranges (169.254.x.x), or loopback. An attacker who controls the agent's task could instruct it to fetch AWS/GCP/Azure metadata endpoints, internal admin panels, or other unadvertised services and then include the response in context.

LOW Web content prompt injection vector -8

When the agent invokes search.js --content or content.js, the Markdown-rendered body of the fetched web page is returned as tool output and injected into the agent's context. A page operator aware that their URL will be fetched by an LLM agent can embed instructions like 'Ignore previous instructions and...' that may influence subsequent agent behavior depending on system prompt hardening.

LOW package-lock.json name/version mismatch -12

The package-lock.json declares name 'brave-search' version '2.0.0' while package.json declares 'brave-headless' version '0.2.0'. This suggests the lockfile was generated for a different version of the project or under a different name. While not malicious, a stale lockfile could pin unexpected dependency resolutions.

LOW API key visible in error output -5

The BRAVE_API_KEY is read from process.env and included in config objects passed throughout the codebase. If ValidationError is thrown after config is built, or if LOG_LEVEL=debug is active, the key value may appear in log output or error messages surfaced to the agent.

INFO npm ci not run during monitored install 0

The install script cloned the repo and copied files but did not run 'npm ci' during the monitored period. Dependencies listed in package.json (@mozilla/readability, jsdom, turndown, turndown-plugin-gfm) are well-known and reputable packages. When npm ci is eventually run by the user, it will pull from the npm registry under the pinned versions in package-lock.json.

INFO Canary file PATH syscalls attributable to audit infrastructure 0

Batch accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials appear in auditd PATH logs at two timestamps (1771942575.726 and 1771942595.890). Both batches occur within the same millisecond across all six files, consistent with the audit system performing pre- and post-install integrity hashing rather than any skill process.