ClawHub

Google SERP Images Search API

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Google Images search API wrapper, but users should know their search terms and filters are sent to Just Serp API.

Install only if you are comfortable sending image search queries, filters, localization parameters, and your Just Serp API key to Just Serp API. Avoid secrets, personal data, regulated data, or precise location details in queries unless you have reviewed the provider's privacy and retention terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Low
Confidence
93% confidence
Finding
The skill sends user-supplied search terms and optional localization parameters such as country, domain, language, and UULE to an external third-party service, but the documentation does not clearly warn users that their inputs will leave the local environment. This creates a privacy and data-handling risk because users may unknowingly submit sensitive queries or location-related metadata to Just Serp API and, transitively, Google-backed search infrastructure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The operation documentation encourages sending user-controlled search queries, optional raw Google result HTML, and precise localization parameters such as country, language, and UULE to an external third-party API without any privacy notice or handling guidance. This creates a real privacy and data-governance risk because users may unknowingly transmit sensitive search terms, location context, or regulated data to a vendor and potentially receive/store raw HTML containing additional tracking or sensitive content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal