serper

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill performs Google searches via the Serper API and then concurrently fetches and scrapes the resulting public webpages using trafilatura to include "full extracted page text" in outputs (see SKILL.md "Fetches results AND reads the actual web pages" and scripts/search.py _extract_content / trafilatura.fetch_url), which clearly ingests untrusted third‑party web content that the agent is expected to read and use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). This skill calls the Serper API endpoints (https://google.serper.dev/search and https://google.serper.dev/news) at runtime and then fetches arbitrary result URLs via trafilatura, injecting the full extracted remote page text into the skill's JSON output (i.e., model context), so fetched remote content can directly control prompts.