serper
Fail
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: HIGHDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's primary function is to extract full page content from arbitrary external URLs using
trafilatura. This is a major attack surface for indirect prompt injection. - Ingestion points: Full article text is scraped from any URL returned by the Serper API (search.py via trafilatura).
- Boundary markers: Output is formatted as JSON, but the
contentfield contains raw, unvetted text from the web which the agent is then instructed to process. - Capability inventory: The skill's output is intended to be the primary source of truth for the agent's responses, meaning malicious content in the
contentfield can directly influence agent reasoning or instructions. - Sanitization: No evidence of sanitization or filtering of the extracted web content to remove hidden instructions or malicious payloads is mentioned.
- Data Exposure (MEDIUM): The skill is designed to read and write sensitive configuration data (
SERPER_API_KEY) from environment files like~/.openclaw/.env. While standard for many tools, this establishes a pattern of accessing sensitive local paths. - External Downloads (LOW): Requires the installation of the
trafilaturalibrary from PyPI. While a legitimate library, it is an external dependency that processes untrusted HTML from the open web.
Recommendations
- AI detected serious security threats
Audit Metadata