ClawHub

Google SERP Search API

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Just Serp API wrapper for Google search results, with expected external API use and no hidden persistence or destructive behavior found.

Install only if you are comfortable sending search terms, optional location/localization fields, and your Just Serp API key to Just Serp API. Avoid using it for secrets, private investigations, regulated data, or precise location searches unless that disclosure is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This skill sends user-provided search queries and potentially sensitive localization parameters such as location, country, UULE, and other search-context tokens to a third-party API, but the manifest does not disclose that external transmission to the user. That creates a privacy and consent risk because users may reveal personal interests, locations, or investigative activity without realizing their inputs are being shared outside the host platform.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This skill sends user-supplied search terms and potentially sensitive contextual data such as location, language, country, and raw HTML retrieval parameters to an external third-party service, but the documentation does not disclose that data leaves the local agent boundary. That omission can cause unintentional disclosure of personal, proprietary, or regulated information because users or downstream agents may treat the tool like a local search helper rather than an external transmission.

VirusTotal

35/35 vendors flagged this skill as clean.

View on VirusTotal