ClawHub

Google Search Skill

Security checks across malware telemetry and agentic risk

Overview

This search skill appears to do what it says: send user search queries to Serper.dev to return Google Search results.

Install only if you are comfortable with search queries being sent to Serper.dev/Google-backed infrastructure. Avoid using it for secrets, private customer data, proprietary project names, or regulated information unless your policies allow that provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly promotes sending user search queries to Serper.dev, a third-party service, but does not clearly warn that user prompts, search terms, and potentially sensitive agent-generated queries will leave the local environment and be processed by an external provider. In an agent context, searches may include confidential user data or derived secrets, so the lack of disclosure and guidance increases the risk of unintended data exposure and privacy/compliance issues.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script takes a user-provided query and sends it to an external search service via `query(type, params)` without any explicit disclosure, confirmation, or warning that the query contents will leave the local environment. In an agent skill context, users may enter sensitive terms, internal project names, credentials, or proprietary data, so silent transmission to a third-party service creates a real privacy and data-leak risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal