Security audit

gemini-smart-search

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Gemini-backed search skill that uses a local script, a Gemini API key, and Google/Gemini network calls as expected for its purpose.

Install only if you are comfortable providing a Gemini API key and sending search queries to Google/Gemini. Keep `.env.local` gitignored and limited to the needed Gemini key values; avoid putting unrelated secrets in that file, and do not use the skill for confidential or regulated queries unless third-party disclosure is approved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill explicitly instructs the agent to run a local Python or shell script, load environment variables including API keys, read repo-local files such as .env.local, and make outbound network requests to Gemini/Google Search, yet no permissions are declared for those capabilities. This mismatch weakens policy enforcement and user visibility: an agent or platform may permit execution without clearly surfacing that the skill can access secrets, local files, and the network.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The script automatically reads a repository-local .env.local file and imports all key/value pairs into the process environment, even though the tool only needs a Gemini API key. This broad local secret-loading behavior expands the skill’s access to unrelated credentials and configuration, increasing the risk of accidental secret exposure to downstream code, logs, or future changes.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The document explicitly records that a repo-local environment file was sourced and that authenticated requests were made to an external API using that local credential context. Even though it says no secrets are recorded, this normalizes credential access and outbound probing behavior without an explicit warning, approval boundary, or safer procedure, which can encourage operators or future automation to repeat sensitive actions implicitly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.