ClawHub

SerpAPI

PassAudited by ClawScan on May 1, 2026.

Overview

The artifacts show a coherent SerpAPI search wrapper with no malicious behavior; users should be aware it uses an API key and sends searches and optional location data to SerpAPI.

This skill appears safe for its stated purpose. Before installing, verify you are comfortable using an unknown-source wrapper, configure a dedicated SerpAPI key if possible, avoid sensitive search terms, and check any default location stored in TOOLS.md.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Info
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

A user may want to verify the wrapper before trusting it with a SerpAPI credential.

Why it was flagged

The skill points to SerpAPI but does not identify a verified source, which matters because the wrapper handles a provider API key.

Skill content
Source: unknown; Homepage: https://serpapi.com
Recommendation

Review the included script and use a dedicated, revocable API key; prefer a verified publisher if official provenance is required.

Low
#ASI03: Identity and Privilege Abuse
What this means

Using the skill will consume searches under the configured SerpAPI account.

Why it was flagged

The script reads the SerpAPI key from the environment and includes it in API request parameters; this is expected for the service but grants use of the account quota.

Skill content
key = os.environ.get("SERPAPI_API_KEY") ... params = {"api_key": api_key, "engine": ENGINES.get(engine, engine)}
Recommendation

Use a dedicated key if possible, monitor SerpAPI usage, and rotate or revoke the key if it is no longer needed.

Low
#ASI07: Insecure Inter-Agent Communication
What this means

Search terms and location-related context may be shared with SerpAPI as part of normal operation.

Why it was flagged

User search queries are sent to the external SerpAPI provider, and optional location, country, and language parameters can also be included.

Skill content
SERPAPI_BASE = "https://serpapi.com/search.json" ... params["q"] = query ... urlopen(req, timeout=30)
Recommendation

Avoid placing secrets or highly sensitive personal details in search queries, and review SerpAPI's privacy and retention practices if needed.

Info
#ASI06: Memory and Context Poisoning
What this means

A stale or unintended default location could bias searches or disclose an approximate location to the provider.

Why it was flagged

The skill can reuse a persistent workspace default location for future searches, which may affect results and be sent as a location parameter.

Skill content
Optionally set default location in `<workspace>/TOOLS.md`: ... Default location: Pittsburgh, PA
Recommendation

Keep the SerpAPI section of TOOLS.md accurate, or omit the default location if you do not want it reused automatically.