Back to skill

Security audit

Google Webmcp

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Google Search and Gemini automation helper, but users should understand it uses a persistent authenticated Google browser profile and can save generated images locally.

Install only if you are comfortable using a managed Google profile for Search and Gemini automation. Prefer an isolated Google profile or account, verify the referenced webmcp-bridge/local-mcp tooling on your machine, and check where Gemini image downloads are saved before using it for sensitive content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly supports downloading Gemini-generated images from an authenticated browser profile, but the description does not clearly warn users that files may be written to local storage. This can cause users to trigger downloads without understanding persistence, storage location, or possible exposure of sensitive generated content on disk, especially in shared or managed environments.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.