serper-v
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: serper-v Version: 2.0.1 The skill is classified as suspicious primarily due to the `npm install -g @vinitngr/serper-v --force` command specified in `SKILL.md`. The `--force` flag can bypass dependency checks and overwrite existing files, which introduces a risk to system stability or integrity, even if there is no clear evidence of intentional malicious behavior. While the stated purpose of 'bulk scraping' is a high-risk capability, the instructions themselves do not indicate malicious intent for its use.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the external CLI may change the local environment and depends on code that is not included in the skill artifacts.
The skill asks users to install a global, unpinned external npm package, with --force in the SKILL.md setup example. This is expected for a CLI-based Serper wrapper, but the package should be trusted before installation.
npm install -g @vinitngr/serper-v --force
Verify the npm package publisher and contents, consider pinning a version, and avoid --force unless it is necessary.
The CLI will receive a Serper API key, which may allow API usage and quota consumption on the user's account.
The setup requires a Serper API key. This is purpose-aligned for using the Serper API, but the registry metadata declares no primary credential or required environment variables.
serperV auth <api_key>
Use a scoped or revocable Serper key if available, understand how the CLI stores it, and rotate the key if it is exposed.