Google Serper Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Serper web search skill, with normal third-party API and API-key handling risks that users should understand.

Install only if you are comfortable sending search terms and parameters to Serper.dev using your Serper API key. Use a dedicated API key, avoid searching for secrets or sensitive personal/internal data, and think carefully before permanently storing the key in shell startup files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill instructs the agent to invoke a Python script that performs web searches and therefore uses network access, but the manifest shown does not declare any permissions or capability boundaries. Undeclared network and environment access weakens auditability and user consent, and can allow a seemingly simple search skill to access external services or secrets without clear disclosure.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The description presents the skill as general web and image search, but the documented parameters enable many additional search modes such as places, shopping, maps, scholar, patents, and autocomplete. This mismatch expands the operational scope beyond what a reviewer or orchestrator would expect, increasing the risk of unintended invocation, policy bypass, or exposure of more sensitive query types than the declared purpose suggests.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The skill metadata says it should perform web and image search, but the code enables many additional search modes such as maps, places, reviews, shopping, scholar, patents, and autocomplete. This capability drift expands what the agent can do beyond the declared scope, increasing the chance of unintended data sharing, policy bypass, or misuse through hidden functionality.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The code implements specialized search domains not justified by the stated purpose of simple web or image search. In an agent setting, excess capabilities are dangerous because they create a larger attack surface and allow prompts to invoke behaviors the operator may not realize are available.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger description is broad enough that normal user phrases like 'find information' or 'what's the weather' could invoke the skill and send queries to an external service unexpectedly. In a skill that performs outbound web/API requests, overly broad triggering increases the risk of unintentional activation, privacy leakage, and surprising network access.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README states that the skill will call the Serper API and process search requests, but it does not clearly warn users that their prompts or search terms will be transmitted to a third-party service. In a search skill, this omission can lead to unintended disclosure of sensitive queries, credentials, or personal data if users assume the request stays local.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The manifest description uses broad trigger phrases like 'search for information' and 'find information online,' which can cause the skill to activate for a large range of user requests. Overbroad routing increases the chance that a network-enabled skill is invoked unnecessarily, sending user queries to third-party services when a local answer or narrower skill would have been sufficient.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The usage guidance repeats ambiguous conditions such as 'needs current information,' 'wants to verify facts,' or 'asks questions that require web search,' which are subjective and easy for an agent to over-apply. In the context of a networked skill, this can lead to excessive external querying, unnecessary disclosure of user prompts to third-party search providers, and confusion about when web access is appropriate.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal