google-surf-mcp-search
Warn
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The installation instructions direct users to execute 'npx google-surf-mcp' or clone from 'https://github.com/HarimxChoi/google-surf-mcp'. These sources are not recognized as trusted organizations or well-known services.
- [PROMPT_INJECTION]: The skill is designed to ingest and process untrusted data from the open web (search results and URL extraction), creating a surface for Indirect Prompt Injection.
- Ingestion points: The 'extract' and 'search_extract' tools fetch text content from any user-supplied or search-discovered URL, including HTML and PDF files.
- Boundary markers: There are no instructions provided to the agent to treat extracted content as untrusted or to ignore embedded instructions.
- Capability inventory: The skill possesses the capability to fetch high volumes of data from external networks and present it directly to the agent's context.
- Sanitization: While the skill uses parsing libraries like Readability and unpdf, it does not perform sanitization to filter out malicious instructions hidden within the text.
- [DATA_EXFILTRATION]: The skill includes a configuration option 'SURF_ALLOW_PRIVATE=true' which explicitly enables the extraction tool to access private IP addresses. This creates a risk for Server-Side Request Forgery (SSRF), allowing the agent to potentially access internal services or metadata endpoints.
- [COMMAND_EXECUTION]: The skill requires local command execution for setup and operation, specifically using 'npx' and 'npm run bootstrap', which executes third-party code on the user's machine.
Audit Metadata