Is ianpcook/serpapi safe?

https://github.com/openclaw/skills/tree/main/skills/ianpcook/serpapi

86
SAFE

The ianpcook/serpapi skill is a straightforward Python CLI wrapper for the SerpAPI search aggregation service. The SKILL.md contains no prompt injection, the serp.py script uses only Python standard library, no suspicious install hooks exist, and canary file integrity was maintained throughout. The primary concern is an inherent privacy tradeoff: all agent search queries are transmitted to and logged by the disclosed third-party serpapi.com service, and the SERPAPI_API_KEY is transmitted as a URL query parameter per the service's API design. A secondary concern is the TOOLS.md location feature, which creates a cross-skill injection surface if another installed skill can write to the workspace.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

MEDIUM All agent search queries routed through disclosed third-party serpapi.com -15

Every search query the agent executes via this skill is transmitted to serpapi.com in plaintext as a URL parameter. The serpapi.com service accumulates a full log of agent research activity. While this is the disclosed and intended purpose of the skill, it represents a meaningful privacy risk: a compromised or malicious serpapi.com (or a man-in-the-middle) gains visibility into sensitive research topics, user interests, and geographic context across all sessions.

LOW SERPAPI_API_KEY transmitted as plaintext URL query parameter -5

The API key is appended to the HTTPS request URL as a query parameter per serpapi.com API design. This is standard for this service but means the key appears in server access logs, proxy logs, and any network capture of TLS-terminated traffic. If the key is shared or rotated, past sessions are retroactively linkable.

LOW Workspace TOOLS.md read to extract default location setting -5

The get_default_location() function probes three filesystem paths for TOOLS.md and extracts a 'Default location:' value using a regex. This value is appended to API queries. If a co-installed skill or other write-capable agent process has written to TOOLS.md, it can inject an arbitrary location string into all subsequent SerpAPI calls, potentially leaking workspace metadata to the third-party API or manipulating search results.

LOW Executable Python script with outbound HTTPS capability -10

serp.py is an executable script that makes outbound HTTPS calls at runtime. While the call target (serpapi.com) is fixed in the source and matches documented purpose, the script accepts arbitrary query strings from the invoking agent context. Malicious query content will be forwarded verbatim to serpapi.com.

INFO Broad multi-engine search capability creates elevated OSINT surface -8

The skill exposes 20+ search engines (Google, Amazon, Yelp, eBay, TripAdvisor, etc.) through a single interface. An agent manipulated via prompt injection from another source could use this skill to conduct extensive OSINT on the user or third parties, with all query history being logged by serpapi.com.

INFO Installation performs git sparse-checkout from openclaw/skills monorepo -5

The install script clones the full openclaw/skills repository with depth=1 then uses sparse-checkout to extract only the target skill path. This is a legitimate optimization pattern but means the installing system briefly pulls the full shallow tree of all skills in the monorepo before filtering. No unexpected behavior observed.