openclaw-serper

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md and scripts/search.py explicitly call the Serper Google search API and then fetch and scrape each result URL with trafilatura, returning full extracted page text from arbitrary public websites (news/web results), which the agent is instructed to read and use as the basis for answers — exposing it to untrusted third‑party content that could carry indirect prompt injections.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill posts runtime requests to https://google.serper.dev/search and https://google.serper.dev/news (using a required SERPER_API_KEY) and then fetches and injects the full text of the returned result URLs into its output/context, meaning external content fetched at runtime directly controls the agent's prompt/context.