brave-search
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill fetches content from arbitrary external websites and presents it to the agent, creating a surface for instructions embedded in web content to influence agent behavior.\n
- Ingestion points: content.js and search.js ingest untrusted data from URLs provided as arguments or found in search results.\n
- Boundary markers: Output uses standard delimiters like '--- Result X ---' to separate content blocks, but does not include explicit instructions to the agent to ignore instructions embedded within that content.\n
- Capability inventory: The skill is limited to performing network requests via fetch() and providing text output to the console; it lacks file-writing or shell execution capabilities.\n
- Sanitization: Employs @mozilla/readability and JSDOM to extract core article content and uses turndown to convert it to markdown, which effectively strips potentially executable scripts and complex HTML formatting.\n- Data Exposure & Exfiltration (LOW): The skill performs network operations to non-whitelisted domains (including api.search.brave.com and various external websites) as part of its core search and content extraction functionality.
Audit Metadata