google-search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward web-search skill that sends search queries to an external SkillBoss/HeyBossAI API using a user-provided API key.

Install only if you are comfortable sending search terms to SkillBoss/HeyBossAI. Use a dedicated, revocable API key and avoid searching for secrets, private documents, customer data, or confidential business information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill sends user-provided search queries and an API credential to a third-party external service without any in-code disclosure, consent mechanism, or data-handling notice. In an agent setting, users may reasonably assume searches are local or platform-native, so undisclosed transmission can create privacy and compliance risk, especially if prompts contain sensitive data.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal