Safety Report

Brave Images

Name: Brave Images
Rating: 3 (3 reviews)
Author: zats

Search for images using Brave Search API. Use when you need to find images, pictures, photos, or visual content on any topic. Requires BRAVE_API_KEY environment variable.

2,271Downloads

1Installs

3Stars

2Versions

API Integration4,971 Search & Retrieval2,116 Image Processing1,559 Design & Prototyping842

Security Analysis

high confidence

Suspicious

The skill's instructions match its stated purpose (image search via the Brave Search API), but its registry metadata fails to declare the BRAVE_API_KEY credential (and primary credential), an incoherence that should be resolved before trusting or installing it.

Feb 11, 20261 files2 concerns

Purpose & Capabilityconcern

SKILL.md clearly implements Brave image search (curl to api.search.brave.com with X-Subscription-Token). That capability is coherent with the name/description. However, the skill text requires a BRAVE_API_KEY environment variable while the registry metadata lists no required env vars and no primary credential — this mismatch is unexpected and disproportionate.

Instruction Scopeok

Runtime instructions are narrowly scoped to calling the Brave Images endpoint, parsing the JSON response, and presenting images. They do not request reading local files or unrelated environment variables. Note: the SKILL.md instructs the agent to 'send images directly' which implies fetching image bytes from external URLs (normal for an image search skill but worth being aware of because it causes outbound downloads).

Install Mechanismok

This is an instruction-only skill with no install spec or code files, so nothing will be written to disk by an installer. That is the lowest-risk installation model.

Credentialsconcern

Requesting a single BRAVE_API_KEY is proportionate to a Brave Search integration. The concern is that the manifest/registry metadata did not declare this required env var nor mark it as the primary credential — an inconsistency that could hide needed setup steps or cause confusion about where to place credentials. Verify what the agent platform expects and that the key will not be shared beyond this skill.

Persistence & Privilegeok

The skill is not marked always:true and uses normal model invocation. It does not request persistent system-wide changes or modify other skills' configs. No elevated persistence or privilege is requested.

Guidance

Before installing: (1) Confirm the skill actually requires and will use BRAVE_API_KEY — the SKILL.md mentions it but the registry metadata does not; prefer skills whose metadata declares required env vars and primary credential. (2) Only supply a Brave API key you control and consider a restricted/monitoring-only key (not a broad production key). (3) Be aware the agent may fetch image bytes from external URLs (outbound downloads), which can expose your environment to remote content — if you need to limit risk, run in a sandbox or block automatic image fetching. (4) If you cannot verify the publisher/source (homepage unknown), ask the publisher to update the registry entry to list BRAVE_API_KEY as a required/primary credential or provide provenance; otherwise treat it cautiously. (5) If the metadata is corrected to explicitly require BRAVE_API_KEY and designate it as the primary credential, the mismatch concern would be resolved and my assessment would lean toward benign.

Latest Release

v1.0.1

Added delivery guidance for showing images to users

More by @zats

Perplexity

21 stars

Last 30 Days

21 stars

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Published by @zats on ClawHub