brave-search
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION]: The skill acts as an ingestion point for untrusted web content, which is a primary vector for indirect prompt injection attacks.
- Ingestion points: The scripts
search.jsandcontent.jsare designed to fetch search result snippets and full webpage content from arbitrary external URLs. - Boundary markers: The skill uses basic structural delimiters like
--- Result 1 ---and field labels (Title, Link, Snippet, Content), which provide visual separation but are insufficient to prevent an LLM from interpreting instructions embedded within the untrusted web data. - Capability inventory: While the provided markdown does not list direct high-privilege capabilities, the data is intended for an AI agent that may have access to other tools or file systems.
- Sanitization: There is no evidence of sanitization, filtering, or instruction-stripping for the content retrieved from the web before it is passed to the agent.
- [NO_CODE]: The skill definition references external scripts (
search.js,content.js) and a Node.js configuration (package.json), but these files were not included in the analysis package. The security of the actual implementation of these scripts cannot be verified.
Audit Metadata