Is brave-search safe?

https://clawhub.ai/steipete/brave-search

82
SAFE

This is a straightforward web search and content extraction skill with clean code, no install-time behavior, and no prompt injection. The primary risk is that its URL-fetching capability creates a potential data exfiltration channel if combined with other skills or malicious prompts. The SKILL.md misleadingly references a BRAVE_API_KEY that the code never uses, instead scraping Brave Search directly.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 68/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (6)

MEDIUM Arbitrary URL fetching enables potential exfiltration channel -18

content.js and search.js (with --content flag) fetch arbitrary user-supplied URLs and return their content. While this is the stated purpose, it creates a potential exfiltration vector: a malicious prompt could trick the agent into encoding sensitive data into URL parameters of an attacker-controlled endpoint.

LOW BRAVE_API_KEY referenced but never used -10

SKILL.md states 'Needs env: BRAVE_API_KEY' but neither search.js nor content.js reference this environment variable. search.js scrapes Brave Search HTML directly instead of using the official API. This is misleading documentation — the skill works without any API key.

LOW Heavyweight jsdom dependency increases attack surface -7

jsdom provides a full DOM implementation including script execution capabilities. While used legitimately here for HTML parsing and Readability extraction, it is a large dependency tree that increases the supply-chain attack surface compared to lighter alternatives like cheerio.

INFO Combination risk with file-reading skills -5

If installed alongside a skill that can read local files, an attacker could chain the two: read sensitive file contents with one skill, then exfiltrate via URL parameters using this skill's content.js or search.js --content flag.

INFO No prompt injection vectors detected 0

SKILL.md is clean documentation with no hidden instructions, invisible characters, or attempts to override agent behavior. The skill does not request elevated permissions beyond shell execution.

LOW No input validation on URL parameter -5

content.js accepts any URL from argv without validation. While the 15-second AbortSignal timeout limits exposure, there is no scheme validation (e.g., could attempt file:// URLs depending on Node.js fetch implementation).