openclaw-serper
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to run a Python script (
scripts/search.py) using the agent's Bash tool to perform Google searches and extract web content. - [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
trafilaturalibrary and makes network requests to the Serper API (google.serper.dev) and various external websites discovered during the search process. - [PROMPT_INJECTION]: The skill extracts full-page text from third-party websites, creating a surface for indirect prompt injection. Malicious instructions embedded in the processed web pages could potentially influence the agent's subsequent reasoning or actions.
- Ingestion points: The
_extract_contentfunction inscripts/search.pyfetches and processes data from external URLs. - Boundary markers: The extracted content is returned within a structured JSON object, but the text inside the
contentfield is raw and unsanitized. - Capability inventory: The skill can execute Python scripts and perform network operations via the Bash tool.
- Sanitization: There is no evidence of sanitization or filtering of the extracted text to prevent instructions from being interpreted by the agent.
- [DATA_EXFILTRATION]: The script
scripts/search.pycontains a hardcoded absolute path (/Users/kirk/Projects/openclaw-skills/.env) used to load environment variables. This exposes information about the author's local directory structure and could lead to unintended file access if a similar path exists on the system where the skill is deployed.
Audit Metadata