brave-api-search 安全扫描报告 — 可信 | ClawSafe

5 /100

brave-api-search

Real-time web search, autosuggest, and AI-powered answers using the official Brave Search API

A straightforward, well-documented Brave Search API wrapper with no malicious indicators — all network, filesystem, and environment access is explicitly declared and used solely for legitimate API interactions.

技能名称brave-api-search

分析耗时23.9s

引擎pi

✓

可以安装

Approve for use. No security concerns identified.

安全发现 1 项

严重性	安全发现	位置
低危	No third-party package pinning The skill uses only Node.js built-in fetch API. No external npm packages, pip packages, or dependencies are declared, eliminating supply-chain risk. No vulnerability risk from external packages. `N/A` → No action needed — this is a positive security attribute.	`N/A`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	All three scripts call https://api.search.brave.com only
环境变量	`READ`	`READ`	✓ 一致	Reads BRAVE_SEARCH_API_KEY and BRAVE_ANSWERS_API_KEY for auth only
文件系统	`NONE`	`READ`	✓ 一致	node tool reads JS scripts (skill invocation)
命令执行	`NONE`	`WRITE`	✓ 一致	node command is shell:WRITE, but fully declared in skill.json command field
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access
技能调用	`NONE`	`NONE`	—	No recursive skill invocation

3 项发现

🔗

中危外部 URL 外部 URL

https://api-dashboard.search.brave.com

SKILL.md:29

🔗

中危外部 URL 外部 URL

https://brave.com/search/api/

SKILL.md:137

🔗

中危外部 URL 外部 URL

https://api.search.brave.com/res/v1

SKILL.md:141

目录结构

6 文件 · 20.2 KB · 646 行

JavaScript 3f · 386L Markdown 1f · 152L JSON 2f · 108L

├─ 📋 _meta.json JSON 5L · 135 B

├─ 📜 brave_answers.js JavaScript 135L · 3.7 KB

├─ 📜 brave_search.js JavaScript 134L · 3.8 KB

├─ 📜 brave_suggest.js JavaScript 117L · 2.9 KB

├─ 📋 skill.json JSON 103L · 3.9 KB

└─ 📝 SKILL.md Markdown 152L · 5.8 KB

安全亮点

✓ Only calls a single, well-known third-party API endpoint: https://api.search.brave.com

✓ API keys used only for authentication to Brave API — never transmitted elsewhere

✓ No credential exfiltration or environment variable enumeration

✓ No shell command injection, subprocess, or eval() patterns

✓ No access to sensitive filesystem paths (~/.ssh, ~/.aws, .env)

✓ No base64-encoded payloads or obfuscated code

✓ No hidden HTML comments or steganographic payloads

✓ Complete alignment between SKILL.md documentation and actual code behavior

✓ Source-file based deployment — no external download or install step

✓ No transitive dependencies — uses only Node.js built-in fetch API

✓ Clean, readable code with proper error handling