brave-search

This skill is a straightforward wrapper/manifest for using a Brave Search MCP server to provide web/news/local/video/image search and summarization. Its requested capabilities (network access to Brave API and an API key) align with the stated purpose. The primary supply-chain risk is the documented npx install of @brave/search-mcp (transitive code execution from npm). The API key requirement is expected but should be handled as a sensitive secret. No evidence of covert exfiltration, obfuscated code, or requests to suspicious domains is present in the provided manifest. Recommended mitigations: obtain API key from official Brave site, verify the npm package integrity (pin version / use lockfile or vendor package), grant the minimal scope to the key, and ensure agent logging does not leak secrets.