Back to skill

Security audit

serper-search

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Google search integration that uses Serper.dev as expected and does not show hidden persistence, unrelated data access, or destructive behavior.

Install only if you are comfortable sending search queries to Serper.dev and providing a Serper API key. Do not use it for secrets, credentials, private customer data, or sensitive investigations unless that data sharing is acceptable under your policy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises Google search functionality through Serper.dev but does not clearly disclose that user queries are transmitted to an external third-party service. Search queries often contain sensitive business, personal, or investigative information, so silent transmission can cause privacy, compliance, and data-handling risks even if the integration is otherwise legitimate.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
index.ts:72