brave-search
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exposes an attack surface for indirect prompt injection by fetching and displaying untrusted content from arbitrary web pages to the agent.
- Ingestion points: The scripts
search.js(line 120) andcontent.js(line 41) fetch external HTML content from URLs provided at runtime. - Boundary markers: The output uses separators such as
--- Result N ---to organize results, but it lacks explicit instructions or semantic delimiters that would prevent the agent from mistaking text within the search results for system instructions. - Capability inventory: The skill scripts are restricted to network requests and text processing; no dangerous capabilities such as file system modification, command execution, or sensitive data access were detected.
- Sanitization: The implementation uses
@mozilla/readability,jsdom, andturndownto extract and clean web content. This removes executable scripts and formatting, but it does not filter or sanitize natural language instructions that might be embedded in the extracted text.
Audit Metadata