Back to skill

Security audit

serper

Security checks across malware telemetry and agentic risk

Overview

This is a normal web-search skill that sends searches to Serper and fetches result pages; no hidden, destructive, or unrelated behavior was found.

Install only if you are comfortable with your search queries being sent to Serper and result pages being fetched from third-party sites. Do not use it for secrets, private project names, regulated data, or confidential investigations unless that external disclosure is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly uses network access and environment-based secrets (Serper API key via .env), but no permissions are declared. That creates a transparency and policy-enforcement gap: users or hosting frameworks may not realize the skill can exfiltrate queries to third parties or consume secrets from the environment. In a web-search skill this capability is expected, which lowers suspicion of maliciousness, but undeclared capabilities still weaken trust and sandboxing assumptions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README clearly describes sending user queries to the Serper API and fetching third-party webpages, but it does not prominently disclose that user input and accessed URLs are transmitted to external services. In a search/scraping skill, this omission can lead users to unknowingly share sensitive prompts, internal project terms, or regulated data with Serper and destination sites.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description emphasizes search and page extraction but does not clearly warn that user-provided queries are transmitted to Serper/Google-adjacent infrastructure and that third-party web pages are fetched automatically. This can expose sensitive prompts, internal project names, or regulated data to external services without informed user consent. Because the skill also scrapes full page content, it increases data flow beyond a simple snippet lookup.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill mandates locale settings based on language or region without user opt-in, which can override user intent and silently steer queries to jurisdiction-specific results. This is primarily a privacy, autonomy, and result-integrity issue: inferred location/language choices may reveal context and may bias outputs toward a region the user did not explicitly choose. In this search-focused skill the behavior is functionally related to relevance, so the danger is limited but still real.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends the user-provided search query to Serper and then fetches returned result URLs from third-party websites, which discloses user input and browsing targets to external services. In this skill’s context that behavior is core functionality, but the lack of an explicit privacy warning/consent mechanism means sensitive queries could be unintentionally exposed to Serper and arbitrary websites.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.