brave-api-search Security Report — Trusted | ClawSafe

5 /100

brave-api-search

Real-time web search, autosuggest, and AI-powered answers using the official Brave Search API

A straightforward, well-documented Brave Search API wrapper with no malicious indicators — all network, filesystem, and environment access is explicitly declared and used solely for legitimate API interactions.

Skill Namebrave-api-search

Duration23.9s

Enginepi

✓

Safe to install

Approve for use. No security concerns identified.

Findings 1 items

Severity	Finding	Location
Low	No third-party package pinning The skill uses only Node.js built-in fetch API. No external npm packages, pip packages, or dependencies are declared, eliminating supply-chain risk. No vulnerability risk from external packages. `N/A` → No action needed — this is a positive security attribute.	`N/A`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	All three scripts call https://api.search.brave.com only
Environment	`READ`	`READ`	✓ Aligned	Reads BRAVE_SEARCH_API_KEY and BRAVE_ANSWERS_API_KEY for auth only
Filesystem	`NONE`	`READ`	✓ Aligned	node tool reads JS scripts (skill invocation)
Shell	`NONE`	`WRITE`	✓ Aligned	node command is shell:WRITE, but fully declared in skill.json command field
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access
Skill Invoke	`NONE`	`NONE`	—	No recursive skill invocation

3 findings

🔗

Medium External URL 外部 URL

https://api-dashboard.search.brave.com

SKILL.md:29

🔗

Medium External URL 外部 URL

https://brave.com/search/api/

SKILL.md:137

🔗

Medium External URL 外部 URL

https://api.search.brave.com/res/v1

SKILL.md:141

File Tree

6 files · 20.2 KB · 646 lines

JavaScript 3f · 386L Markdown 1f · 152L JSON 2f · 108L

├─ 📋 _meta.json JSON 5L · 135 B

├─ 📜 brave_answers.js JavaScript 135L · 3.7 KB

├─ 📜 brave_search.js JavaScript 134L · 3.8 KB

├─ 📜 brave_suggest.js JavaScript 117L · 2.9 KB

├─ 📋 skill.json JSON 103L · 3.9 KB

└─ 📝 SKILL.md Markdown 152L · 5.8 KB

Security Positives

✓ Only calls a single, well-known third-party API endpoint: https://api.search.brave.com

✓ API keys used only for authentication to Brave API — never transmitted elsewhere

✓ No credential exfiltration or environment variable enumeration

✓ No shell command injection, subprocess, or eval() patterns

✓ No access to sensitive filesystem paths (~/.ssh, ~/.aws, .env)

✓ No base64-encoded payloads or obfuscated code

✓ No hidden HTML comments or steganographic payloads

✓ Complete alignment between SKILL.md documentation and actual code behavior

✓ Source-file based deployment — no external download or install step

✓ No transitive dependencies — uses only Node.js built-in fetch API

✓ Clean, readable code with proper error handling

Scan Report

Findings 1 items

File Tree

Security Positives