Back to plugin

Security audit

Google

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal Google search provider using SerpApi, with no unrelated permissions or hidden behavior evident.

If you install this, expect your search queries and SerpApi API key to be sent to serpapi.com for Google search results. Only provide a SerpApi key, not unrelated credentials. The main minor mismatch is packaging metadata: the registry says no environment variables are declared, while the code and docs clearly use SERPAPI_API_KEY or an equivalent config value.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.js:192
Evidence
const apiKey = [REDACTED]({

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/index.ts:284
Evidence
const apiKey = [REDACTED]({