Serper Clone

Security checks across malware telemetry and agentic risk

Overview

This is a documented self-hosted search skill with no hidden installer or automation, though users should understand that search privacy depends on the backend configuration.

Install this only with a Serper Clone/SearXNG server you control or trust. Protect the API key file, use HTTPS where possible, avoid highly sensitive searches unless you have verified the backend's logging and upstream-engine configuration, and encode JSON safely if reusing the shell helper.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

External Transmission

Medium

Category: Data Exfiltration
Content: local api_key=$(grep '^API_KEY=' ~/.openclaw/workspace/.serper-clone-api-key | cut -d'=' -f2) local base_url=$(grep '^BASE_URL=' ~/.openclaw/workspace/.serper-clone-api-key | cut -d'=' -f2) curl -s -X POST "$base_url/$endpoint" \ -H "X-API-KEY: $api_key" \ -H "Content-Type: application/json" \ -d "{\"q\": \"$query\", \"num\": $num}"
Confidence: 88% confidence
Finding: curl -s -X POST "$base_url/$endpoint" \ -H "X-API-KEY: $api_key" \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal