← Back to Skills Marketplace
331
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install openclaw-skill-brave-rotator
Description
Brave Search API with automatic key rotation across multiple API keys to maximize free tier limits (2000 req/month per key). Use when performing web, news, o...
Usage Guidance
This skill legitimately implements key rotation for Brave Search, but it stores your API keys in plaintext in a state file and the registry metadata doesn't declare the required BRAVE_API_KEYS env var. Before installing or using it, consider: 1) review the script locally (you already have the code) and confirm you trust the source; 2) do not supply long-lived or high-privilege keys — prefer disposable keys; 3) change the code so it does not write raw keys to disk (store only masked identifiers or hashes, or avoid persistent state altogether), or set BRAVE_KEY_STATE_FILE to a secure, access-restricted path (or tmpfs); 4) run the skill in an isolated environment/container if possible; 5) if you cannot audit or modify the script, avoid providing multiple keys to it. Also consider updating registry metadata to declare BRAVE_API_KEYS so the requirement is explicit.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-skill-brave-rotator
Version: 0.1.0
The OpenClaw skill 'brave-rotator' is classified as benign. The `SKILL.md` file provides clear, non-malicious instructions for setting up and using the Brave Search API with key rotation, without any prompt injection attempts. The `scripts/brave_search.py` script correctly implements the described functionality, handling API keys from environment variables, managing a state file (`~/.brave_key_state.json`) for rotation, and making legitimate network calls to `api.search.brave.com`. There is no evidence of data exfiltration, unauthorized file access, arbitrary code execution, or other malicious intent.
Capability Assessment
Purpose & Capability
The name/description match the code: it implements Brave Search calls with multi-key rotation. However the package metadata declares no required env vars/credentials while the SKILL.md and code require BRAVE_API_KEYS — a mismatch between declared requirements and actual needs.
Instruction Scope
Runtime instructions and the script read BRAVE_API_KEYS from the environment and persist full per-key state to a JSON file (~/.brave_key_state.json by default). The code uses the raw API keys as JSON object keys, so the state file will contain actual API keys in plaintext. SKILL.md even suggests inspecting that file, encouraging exposure of secrets.
Install Mechanism
No install spec — instruction-only plus a single Python script. No downloads or external installers are invoked, which minimizes install-time risk.
Credentials
The skill actually requires BRAVE_API_KEYS (comma-separated API keys) even though metadata lists none. Requesting multiple API keys is reasonable for rotation, but persisting them in an unencrypted state file is disproportionate and unnecessary for the stated purpose.
Persistence & Privilege
The skill writes a state file to the user's home directory and persists sensitive data (the API keys and usage metadata). It does not require elevated system privileges or always:true, but persistent storage of secrets increases blast radius if the environment is shared or backed up.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-skill-brave-rotator - After installation, invoke the skill by name or use
/openclaw-skill-brave-rotator - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
- Initial release of brave-rotator: multi-key Brave Search API with automatic key rotation.
- Supports web, news, and image search with round-robin key usage and rate-limit fallback.
- State tracking for key usage and cooldowns via local JSON file.
- Simple CLI and Python import usage.
- Easily configure API keys and state file via environment variables.
Metadata
Frequently Asked Questions
What is Brave Rotator?
Brave Search API with automatic key rotation across multiple API keys to maximize free tier limits (2000 req/month per key). Use when performing web, news, o... It is an AI Agent Skill for Claude Code / OpenClaw, with 331 downloads so far.
How do I install Brave Rotator?
Run "/install openclaw-skill-brave-rotator" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Brave Rotator free?
Yes, Brave Rotator is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Brave Rotator support?
Brave Rotator is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Brave Rotator?
It is built and maintained by Marouane (@mrnsmh); the current version is v0.1.0.
More Skills