WebSearch with SerpApi

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward SerpAPI web-search helper, with normal third-party query sharing and API-key setup risks to understand before use.

Install only if you are comfortable sending search terms to SerpAPI. Set the API key with `SERPAPI_API_KEY` instead of editing the source file, avoid searching secrets or confidential data, and consider pinning/reviewing the `serpapi` dependency in controlled environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The setup instructions explicitly tell users to replace the API key directly in `serpapi_search.py`, encouraging hardcoded credentials in source files. Hardcoded secrets are easily leaked through version control, logs, backups, or sharing of the skill, which can lead to unauthorized API use and credential compromise.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The function transmits the user's raw query to a third-party service (SerpAPI) without any in-code notice, consent mechanism, or privacy guardrails. In an agent setting, user queries may contain sensitive data, so silent external transmission can create a real privacy and data-handling risk even if the implementation is otherwise straightforward.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal