Is google-search safe?

https://clawhub.ai/mxfeinberg/google-search

82
SAFE

This is a straightforward Google Custom Search skill with a clean Python implementation that does exactly what it claims. The primary risks are inherent to its purpose: it introduces outbound HTTP capability and sends user-provided queries to Google's API without sanitization. No prompt injection, no malicious code patterns, no suspicious clone behavior, and all canary files remained intact.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (6)

MEDIUM Executable Python script with outbound HTTP -20

The skill includes scripts/search.py which makes outbound HTTP requests to googleapis.com. While this is the intended functionality, it introduces outbound network capability into the agent's toolset. The 'requests' dependency is not version-pinned.

MEDIUM User queries sent to external API without sanitization -25

Search queries from sys.argv are passed directly to Google's Custom Search API. An agent could be socially engineered to include sensitive context in search queries, which would then be transmitted to Google's servers and logged.

LOW Skill instructs users to store API keys in .env file -10

The SKILL.md setup instructions direct users to store GOOGLE_API_KEY and GOOGLE_CSE_ID in a .env file. While this is a standard practice, it creates a known credential file that other skills could target.

LOW Unpinned external dependency -10

The script imports 'requests' without the skill specifying a required version or including a requirements.txt with pinned versions. This creates a minor supply-chain risk.

INFO External URL reference in documentation -10

SKILL.md references cse.google.com for setup instructions. This is informational and points to the legitimate Google service. No risk of agent fetching this automatically.

INFO OpenClaw runtime reads sensitive files during install -5

The monitoring logs show the OpenClaw runtime (not the skill itself) reading .env, .aws/credentials, and auth-profiles.json during the install process. This is platform behavior, not skill-initiated, but worth noting.