serper-search
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: serper-search Version: 1.0.0 The OpenClaw AgentSkills skill bundle for Serper Google Search is benign. The `index.ts` file correctly implements the stated functionality, making network calls only to the legitimate `google.serper.dev` API endpoint using the provided API key and user query. There is no evidence of data exfiltration beyond the necessary API interaction, no malicious execution (e.g., `eval`, `exec`, `curl|bash`), no persistence mechanisms, and no prompt injection attempts against the AI agent in `SKILL.md`. All files align with the stated purpose of providing Google search results.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Searches made through the tool may consume your Serper.dev quota and are associated with the API key you provide.
The plugin uses a configured or environment Serper API key to authenticate outbound Serper.dev API calls. This is expected for the stated purpose, but it gives the tool access to the user's Serper account quota.
const apiKey =
pluginConfig.apiKey || process.env.SERPER_API_KEY || "";
...
"X-API-KEY": apiKeyUse a dedicated Serper.dev API key with appropriate quota limits, and only enable the plugin if you are comfortable sending search queries to Serper.dev.
If installed through a package manager, the exact dependency version may vary over time.
The dependency is declared with a semver range rather than an exact pinned version, so an install could resolve a newer compatible package version. The dependency appears purpose-aligned for tool parameter schemas, and no install script is shown.
"dependencies": {
"@sinclair/typebox": "^0.32.0"
}Prefer installing from a reviewed source or lockfile if reproducibility matters.