File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/index.js:192
- Evidence
const apiKey = [REDACTED]({
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a normal Google search provider using SerpApi, with no unrelated permissions or hidden behavior evident.
If you install this, expect your search queries and SerpApi API key to be sent to serpapi.com for Google search results. Only provide a SerpApi key, not unrelated credentials. The main minor mismatch is packaging metadata: the registry says no environment variables are declared, while the code and docs clearly use SERPAPI_API_KEY or an equivalent config value.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal
const apiKey = [REDACTED]({const apiKey = [REDACTED]({