Brave Search

The skill is advertised as using the Brave Search API and the SKILL.md says it needs BRAVE_API_KEY, but the code (search.js) performs an HTTP GET against https://search.brave.com/search and parses HTML snippets — there is no use of an API key or any Brave API endpoints. The declared registry metadata also lists no required env vars, creating a clear mismatch between advertised purpose and actual capability.

SKILL.md tells the user to run `npm ci` and to set BRAVE_API_KEY, but runtime instructions in the code only fetch search.brave.com and arbitrary page URLs and output extracted content to stdout. The code does fetch arbitrary external URLs (search page and any target pages) which is consistent with a search/extraction tool but means the agent will download external HTML (and any content the user asks it to fetch). The explicit ask for BRAVE_API_KEY in the README is not reflected in the code.

There is no formal install spec in the registry (instruction-only), but SKILL.md instructs running `npm ci` in the skill directory. A package-lock.json and package.json are provided, and dependencies are pulled from the public npm registry — this is normal for Node tools but installs many third-party packages to disk (moderate risk compared to instruction-only skills). No download-from-unknown-URL or archive extraction is used.

The README requires BRAVE_API_KEY, but the code does not read any environment variables. Requesting an API key (a secret) is not justified by the implementation. Aside from this mismatch, the skill does not request other credentials or config paths.

The skill does not request 'always: true' and uses the platform defaults. It does not modify other skills or system-wide settings; runtime behavior is limited to performing HTTP requests and printing output.