Oathe Security Badge

Is pskill9/web-search safe?

https://github.com/pskill9/web-search

92
SAFE

This is a legitimate web search MCP server that scrapes Google search results, but it lacks proper documentation and may violate Google's Terms of Service. While the code appears benign with no malicious behavior detected, the missing SKILL.md file prevents informed user consent.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (5)

HIGH Missing SKILL.md Documentation -30

The SKILL.md file is completely empty, providing no information about what this skill does or how to use it. This prevents users from making informed consent about installation and violates expected MCP skill conventions.

MEDIUM Google Terms of Service Risk -15

The skill performs web scraping of Google search results without using official APIs, which may violate Google's Terms of Service. The README acknowledges this limitation but doesn't address the legal implications.

MEDIUM External HTTP Requests -20

The skill makes HTTP requests to external Google servers, which could potentially be used for data exfiltration, though in this case it appears legitimate for search functionality.

LOW No Rate Limiting -5

The skill implements no rate limiting or authentication mechanisms, which could lead to abuse or being blocked by Google.

LOW File Permission Modification -5

The build script modifies file permissions using chmod, which is standard practice but represents potential code execution during build.