serper-v

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Serper search and scraping helper, with install and privacy cautions but no artifact-backed evidence of hidden or malicious behavior.

Install only if you trust the npm package publisher and are comfortable with a global npm tool. Avoid using it with secrets, signed URLs, private systems, internal-only endpoints, or sensitive customer data unless you are authorized and comfortable sending that information through the Serper-backed workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The documentation advertises a scrape feature that accepts arbitrary URLs but does not disclose that those URLs and related request data will be sent to an external third-party service (Serper). This creates a data-handling and privacy risk because users may submit internal, sensitive, or proprietary URLs without understanding they are being transmitted off-platform to an external API.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal