Google Web Search

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it uses a Gemini API key to send search prompts to Google/Gemini for grounded web answers.

Install only if you are comfortable sending search prompts and related query context to Google/Gemini. Use a restricted Gemini API key, avoid submitting secrets or regulated data, monitor API usage or billing, and pin dependencies locally if you need reproducible builds.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README documents required credentials but does not clearly disclose that user prompts and query content are transmitted to external Google/Gemini services for processing and search. This can mislead operators into using the skill with sensitive or regulated data, creating privacy, compliance, and data-handling risks that are especially relevant for a web-search grounding skill.

Unpinned Dependencies

Low

Category: Supply Chain
Content: google-genai>=1.50.0 pydantic-settings>=2.0.0
Confidence: 95% confidence
Finding: google-genai>=1.50.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: google-genai>=1.50.0 pydantic-settings>=2.0.0
Confidence: 94% confidence
Finding: pydantic-settings>=2.0.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal