Google SERP Search Mobile API

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Just Serp API search helper; it sends your search terms and optional location fields to that service but shows no hidden local access or persistence.

Install only if you are comfortable sending Google search queries and optional location, UULE, business/entity identifiers, and raw HTML result requests to Just Serp API using your API key. Avoid submitting secrets, personal data, regulated data, or confidential research terms unless that matches your data-handling requirements.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The manifest advertises an external search API but does not disclose that user-supplied queries and localization fields like location, country, domain, and UULE are sent to a third-party provider. In agent settings, this can cause unintended transmission of sensitive search terms or precise location context, creating privacy and data-handling risk even if the API itself is functioning as designed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal