brave-search
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it fetches and processes untrusted data from the public web which is then incorporated into the agent's context. An attacker could host malicious instructions on a website that the agent visits via search results or a direct link, potentially influencing the agent's subsequent actions.
- Ingestion points:
search.js(Brave search results snippets) andcontent.js(full web page content). - Boundary markers: None; the skill outputs raw text or markdown to the console without delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill performs network requests (
fetch) and DOM parsing (jsdom), but the resulting data is fed into the agent which may have broader capabilities. - Sanitization: While the skill uses
@mozilla/readabilityandturndownto strip HTML tags and format content, it does not sanitize the textual content for prompt injection patterns. - [SAFE]: The documentation in
SKILL.mdcontains a discrepancy, claiming the skill requires aBRAVE_API_KEYand uses the Brave Search API, whereassearch.jsperforms HTML scraping of the Brave Search results page. This is a best-practice violation in documentation but does not present a direct security vulnerability to the user's environment.
Audit Metadata