Google Web Search
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A leaked or over-permissive API key could be misused or incur charges on the user's Google/Gemini account.
The skill uses a Gemini API key from the environment to authenticate API calls. This is expected for the stated Gemini search purpose, but it is still a credential with account and billing implications.
api_key = os.environ.get("GEMINI_API_KEY") ... client = genai.Client(api_key=api_key)Use a restricted Gemini API key, keep it out of prompts and logs, and rotate it if it is exposed.
Sensitive details included in a prompt may be sent to Google/Gemini and may influence generated web search queries.
The user's prompt is sent to the Gemini provider with Google Search grounding enabled. This is the core feature, but it means prompt contents leave the local environment.
response = client.models.generate_content(
model=model,
contents=prompt,
config=config,
)Use this skill for information lookup and citation needs, but avoid including secrets, private documents, or confidential business data unless that provider use is acceptable.
Future dependency changes could affect behavior or security of the helper script.
The dependency versions are lower-bounded rather than pinned, so installation can pull newer compatible package releases. This is common and purpose-aligned, but it leaves the install dependent on package-manager trust and future package versions.
google-genai>=1.50.0 pydantic-settings>=2.0.0
Install in a trusted Python environment and consider pinning or locking dependency versions if reproducibility is important.