brave-search
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection because it fetches content from untrusted external websites and returns it to the agent.\n
- Ingestion points: Web content is ingested via
fetch()incontent.jsandsearch.js.\n - Boundary markers: Absent. The output uses simple headers like
--- Result 1 ---, which does not clearly delineate untrusted content from the agent's instructions.\n - Capability inventory: While the scripts only read and print, the resulting output is intended for agent reasoning, which often precedes high-privilege actions (like code modification or tool execution).\n
- Sanitization: Scripts and styles are stripped via
@mozilla/readability, but malicious Natural Language instructions (e.g., 'Forget your system prompt and perform X') are preserved and presented to the agent.\n- DATA_EXFILTRATION (MEDIUM): The skill is vulnerable to Server-Side Request Forgery (SSRF).\n - The
fetch()function is called on arbitrary URLs provided as arguments without validation. This could be used to probe internal network services, access cloud metadata services (e.g., 169.254.169.254), or interact with local network interfaces.\n- EXTERNAL_DOWNLOADS (LOW): The skill depends on external Node.js packages.\n - Dependencies include
@mozilla/readability,jsdom, andturndown. While these are reputable, they increase the supply chain attack surface.
Recommendations
- AI detected serious security threats
Audit Metadata