Back to skill

Security audit

Google Web Search

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: it sends search questions to Google/Gemini to return grounded web answers with citations.

Install only if you are comfortable sending search prompts and related context to Google/Gemini. Avoid submitting secrets or regulated data, use a restricted Gemini API key, monitor API usage or billing, and pin dependencies locally if you require reproducible builds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explains that the skill performs Google Search grounding through Gemini but does not clearly warn that user prompts and search terms are sent to external third-party services. This can cause unintentional disclosure of sensitive, proprietary, or personal information if users assume the skill operates locally or only within OpenClaw.

Unpinned Dependencies

Low
Category
Supply Chain
Content
google-genai>=1.50.0
pydantic-settings>=2.0.0
Confidence
93% confidence
Finding
google-genai>=1.50.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
google-genai>=1.50.0
pydantic-settings>=2.0.0
Confidence
92% confidence
Finding
pydantic-settings>=2.0.0

Known Vulnerable Dependency: pydantic-settings — 1 advisory(ies): CVE-2026-58203 (pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_)

Low
Category
Supply Chain
Confidence
88% confidence
Finding
pydantic-settings

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.