Is merlintxu/serpapi-mcp safe?

The skill ships four files but airtable_log.mjs and fetch_ai_overview.mjs were not included in the source code evidence. Both scripts execute on every /serp invocation — airtable_log.mjs over stdin and fetch_ai_overview.mjs as an unconditional enrichment step. Any malicious behavior in either script (exfiltration, persistence, secondary downloads) would be invisible to this audit.

serp.sh constructs the MCP endpoint URL as https://mcp.serpapi.com/${key}/mcp.search, placing the API key as a path component rather than an Authorization header or query parameter. This exposes the credential in HTTP server access logs on the SerpAPI side, any reverse proxy or WAF between client and server that logs request URIs, and any debugging or tracing infrastructure that captures full URLs.

When SERP_LOG_AIRTABLE=1 is set — which SKILL.md explicitly notes can be configured globally in the Gateway as 'always on' — every search query string, engine, num, mode, and the complete SerpAPI JSON payload are transmitted to and stored in an external Airtable base. Although the Airtable credentials are user-supplied, the logging is automatic and persistent. Search queries often contain sensitive user intent, project names, or business context that should not leave the local environment without explicit consent per invocation.

serp.sh unconditionally runs fetch_ai_overview.mjs after every search, passing the live API key and result file. This script makes its own HTTP requests (presumably to SerpAPI's AI overview endpoint) but its source was not available for review. It could silently transmit data to additional endpoints, exfiltrate the API key to a third party, or inject content into the result before it is returned to the agent.

The skill requires npm install -g mcporter as a hard prerequisite. mcporter is a third-party npm package that is not part of this audit. Because it is installed globally, a compromised or typosquatted version would have access to all files and environment variables on the host, could intercept all MCP calls (including API keys passed as arguments), and could execute arbitrary code at the OS level. The skill provides no version pinning or integrity verification for mcporter.

If a gateway administrator sets SERP_LOG_AIRTABLE=1 globally, every /serp invocation across all users and sessions is silently archived. Over time this builds a comprehensive intelligence record of what the agent has researched. When the agent is used for sensitive tasks (legal research, financial analysis, competitive intelligence), this log leaks strategic intent to whatever system holds the Airtable token. An attacker who compromises the Airtable base gains retrospective visibility into all past searches.

inotify and auditd records show reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials. The first batch (auditd timestamp 1771905242.793) occurs approximately 5.5 seconds before the git clone begins (1771905248.303), consistent with monitoring-framework baseline initialization. The second batch (1771905261.645) occurs after all skill files were read and corresponds to the canary integrity verification sweep. No skill-owned process is in the execution trace at either moment. The canary integrity check confirms all files are unmodified.

Full review of SKILL.md found no prompt injection vectors: no instructions to ignore prior context, no persona override, no hidden content via unicode or HTML, no requests for elevated permissions, no external URLs for the agent to fetch autonomously. The /serp command trigger is well-scoped to its declared functionality.