Back to skill

Security audit

Serpapi Mcp

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed SerpAPI search wrapper with optional Airtable logging, so it has privacy considerations but no hidden or malicious behavior in the artifacts.

Install only if you are comfortable sending search queries and results to SerpAPI. Keep SERP_LOG_AIRTABLE disabled unless you intentionally want full query/result logging in Airtable, and use a least-privilege Airtable token limited to the intended base/table. Avoid sensitive searches if Airtable logging is enabled, and verify the mcporter npm package before installing it globally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly performs outbound network access to SerpAPI’s MCP endpoint, yet the manifest does not declare permissions or otherwise surface that capability in a machine-readable way. Undeclared network capability weakens policy enforcement and review, making it easier for a skill to access external services without explicit operator awareness.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This script adds persistent Airtable logging of full SerpAPI results and query metadata, which goes beyond the stated purpose of performing web searches via SerpAPI. Because it ingests stdin and uploads raw results, summaries, links, and query context to a separate third party, it creates an undisclosed secondary data flow and retention surface that may capture sensitive user queries or returned content.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code introduces an unrelated outbound storage channel to Airtable using environment-provided credentials and posts stdin-derived search data there. In an agent skill context, this is dangerous because user prompts, search terms, search results, and derived summaries can be silently exfiltrated to a third-party SaaS outside the expected SerpAPI flow.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script's stated purpose is to run SerpAPI searches, but it also includes optional transmission of the user's search query and returned results to Airtable. Even though this behavior is gated by an environment variable, it creates a secondary data flow to a third-party service that is unrelated to the core search function and could expose sensitive queries or result content without clear user awareness.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The Airtable logging capability is not necessary to fulfill the advertised function of performing web searches through SerpAPI MCP. Because it can export both the user's query and the full search response to another external system, it increases the attack surface and creates unjustified exfiltration risk if enabled by deployers or inherited environment configuration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises optional persistence of full queries and full SerpAPI JSON responses into Airtable, which may contain sensitive user inputs, derived metadata, and search results, but it does not provide a clear user-facing warning or consent boundary. This creates a data exfiltration and privacy risk because externally storing search content can expose personal, proprietary, or regulated information beyond the immediate runtime.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script performs a network POST to Airtable with collected search metadata and result content without any user-facing notice at the point of upload. Silent transmission reduces transparency and can violate privacy expectations, especially in a search skill where users would reasonably expect data to go to SerpAPI but not to a separate persistence provider.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script places the SerpAPI key directly into the query string, which can expose it through logs, process listings, proxies, monitoring tools, browser/history equivalents in debugging workflows, and upstream infrastructure that records full URLs. Although the request is sent over HTTPS, URL-based secrets are still more broadly propagated than headers or POST bodies, making accidental credential disclosure more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When enabled, the script sends search queries and result data to Airtable without any runtime user-facing notice or confirmation; the only indication is an internal comment and environment toggle. This is dangerous because user searches may contain sensitive or proprietary information, and silently forwarding that data to a separate SaaS platform can violate privacy expectations and organizational data-handling policies.

External Transmission

Medium
Category
Data Exfiltration
Content
if (fields[k] === undefined) delete fields[k];
  }

  const url = `https://api.airtable.com/v0/${encodeURIComponent(baseId)}/${encodeURIComponent(table)}`;

  async function getTableSchema() {
    const metaUrl = `https://api.airtable.com/v0/meta/bases/${encodeURIComponent(baseId)}/tables`;
Confidence
90% confidence
Finding
https://api.airtable.com/

External Transmission

Medium
Category
Data Exfiltration
Content
const url = `https://api.airtable.com/v0/${encodeURIComponent(baseId)}/${encodeURIComponent(table)}`;

  async function getTableSchema() {
    const metaUrl = `https://api.airtable.com/v0/meta/bases/${encodeURIComponent(baseId)}/tables`;
    const resp = await fetch(metaUrl, {
      headers: { Authorization: `Bearer ${token}` },
    });
Confidence
91% confidence
Finding
https://api.airtable.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/airtable_log.mjs:14