Google SERP Hotels Search API

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrowly scoped hotel-search API helper that sends declared search parameters to Just Serp API using the user's API key.

Install only if you are comfortable sharing hotel search terms, dates, and filters with Just Serp API and using a JUST_SERP_API_KEY for that service. Avoid using it for sensitive travel plans unless that sharing is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly directs sending user-provided travel search data, including destination queries and stay dates, to an external third-party API, but it does not instruct the agent to clearly warn the user or obtain consent before transmitting that data. While the data is not highly sensitive by default, travel plans can reveal personal or business intent, making silent exfiltration to an external service a meaningful privacy risk.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal