ClawHub
Code Pluginsource linkedVerified

Bravev2026.5.28

OpenClaw Brave Search provider plugin for web search.

@openclaw/brave-plugin·runtime brave·by @openclaw
openclaw plugins install clawhub:@openclaw/brave-plugin
Latest release: v2026.5.28Download zip

Capabilities

Tags
executes-codeartifact:npm-packnpm-mirror:available
configSchema
Yes
Executes code
Yes
HTTP routes
0
Runtime ID
brave

Compatibility

Built With Open Claw Version
2026.5.28
Min Gateway Version
>=2026.4.10
Plugin Api Range
>=2026.5.28
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The artifacts consistently implement an OpenClaw web search provider for Brave, registering only a webSearch provider and sending search requests to Brave or a configured Brave-compatible endpoint.
Instruction Scope
Runtime behavior is scoped to user or agent-invoked web search, but when the brave.http diagnostic flag is enabled it logs full request URLs, query text, and parameters.
Install Mechanism
The package is an @openclaw official plugin with a normal npm package layout, no lifecycle scripts, no bundled third-party dependencies, and startup activation disabled.
Credentials
Use of a Brave API key from plugin config or BRAVE_API_KEY and outbound API requests is expected for a Brave Search provider; the optional baseUrl is disclosed and constrained to HTTP(S) with private-network checks for HTTP/self-hosted use.
Persistence & Privilege
The plugin uses OpenClaw SDK search caching for query results and metadata, but does not install background workers, request elevated privileges, or show unrelated persistence.
Scan Findings in Context
[SQP-2] expected: The artifact supports the scanner's observation that diagnostics log raw search URLs and query parameters. This is a privacy risk if diagnostics are enabled, but it is gated by an explicit diagnostic flag and is not hidden or automatic, so it does not change the benign verdict.
[suspicious.exposed_secret_literal] expected: The static scan appears to flag normal API-key handling at runtime, not a hardcoded secret. The code reads a configured secret or BRAVE_API_KEY and passes it as Brave's X-Subscription-Token, which is necessary for the provider.
[VirusTotal clean] expected: VirusTotal reported no malicious or suspicious detections across supplied engines; this supports but does not determine the verdict.
Assessment
Install this if you want OpenClaw to use Brave Search and are comfortable providing a Brave Search API key. Avoid putting sensitive personal or confidential material in search queries when diagnostic logging is enabled, and use a custom base URL only if you trust that proxy or self-hosted endpoint.
dist/brave-web-search-provider.runtime-DqjJHSR5.js:333
File appears to expose a hardcoded API secret or token.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Verification

Tier
source linked
Scope
artifact only
Summary
Validated package structure and linked the release to source metadata.
Source
github.com/openclaw/openclaw
Commit
e93216080aa1
Tag
refs/heads/release/2026.5.28
Provenance
No
Scan status
clean

Tags

alpha
2026.5.19-alpha.1
beta
2026.6.1-beta.1
latest
2026.5.28

@openclaw/brave-plugin

Official Brave Search provider plugin for OpenClaw.

This plugin registers Brave as a web_search provider. It supports normal Brave web search and Brave LLM Context API mode.

Install

openclaw plugins install @openclaw/brave-plugin

Restart the Gateway after installing or updating the plugin.

Configure

Store a Brave Search API key in plugin config or expose BRAVE_API_KEY to the Gateway:

openclaw config set plugins.entries.brave.enabled true
openclaw config set tools.web.search.provider brave

Provider-specific options live under plugins.entries.brave.config.webSearch.*.

Docs

Full setup, config examples, search modes, and tool parameters:

Package

  • Plugin id: brave
  • Package: @openclaw/brave-plugin
  • Minimum OpenClaw host: 2026.4.10