google-search
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to do what it claims—perform Google Custom Search—but it requires Google credentials and sends search queries to Google.
Install this only if you are comfortable providing a Google Custom Search API key and having the agent's search queries sent to Google. Use a restricted key, keep the .env file private, and avoid submitting sensitive information as search terms.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You must provide Google Custom Search credentials, and those credentials authorize API usage under your Google project.
The script reads Google API credentials from the environment. This is purpose-aligned for Google Custom Search, but users should notice it because the registry metadata lists no required environment variables or primary credential.
api_key = os.getenv("GOOGLE_API_KEY")
cse_id = os.getenv("GOOGLE_CSE_ID")Use a restricted API key, limit it to the Custom Search API where possible, keep it out of version control, and update metadata to declare the required environment variables.
Google will receive the search terms the agent submits, along with the API key and CSE ID needed to run the search.
The script sends the search query, API key, and search engine ID to Google's Custom Search endpoint. This is disclosed and central to the skill's purpose, but it is still an external provider data flow.
url = "https://www.googleapis.com/customsearch/v1"
params = {
'q': query,
'key': api_key,
'cx': cse_id,
'num': num_results
}
response = requests.get(url, params=params)Avoid putting private or confidential information in search queries, and use a dedicated/restricted Google API key for this skill.