Back to skill

Security audit

google-search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Google search helper that uses a user-provided Google API key and sends search queries to Google's Custom Search API.

Install only if you are comfortable providing a Google Custom Search API key and having search queries sent to Google. Use a restricted key, keep any .env file private, add it to .gitignore, and avoid sending confidential search text through this tool.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes use of environment variables for credentials and a Python script that performs outbound network access, but the skill does not declare corresponding permissions. This creates a transparency and governance gap: agents or reviewers may underestimate the skill's ability to read secrets and communicate externally, which increases risk of credential misuse or unreviewed data exfiltration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.