ICUICU
critical

serper-search-scrape-mcp-server

v0.1.2

Serper MCP Server supporting search and webpage scraping

npmmarcopesaniFirst seen Feb 22, 2026

22

Total

5

Critical

12

High

5

Medium

Findings

unknown
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    111:         // Note: These tests require a valid API key and will make real API calls
    112:         // They are disabled by default and should be run manually when needed
>>> 113:         const realClient = new SerperClient(process.env.SERPER_API_KEY || '');
    114:         const realSearchTools = new SerperSearchTools(realClient);
    115:         describe('search', () => {
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    3: dotenv.config();
    4: describe('SerperClient Integration Tests', () => {
>>> 5:     const apiKey = process.env.SERPER_API_KEY || '';
    6:     let client;
    7:     beforeAll(() => {
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    124:         // Note: These tests require a valid API key and will make real API calls
    125:         // They are disabled by default and should be run manually when needed
>>> 126:         const realClient = new SerperClient(process.env.SERPER_API_KEY || '');
    127:         describe('search', () => {
    128:             it.skip('should perform a real search with all optional parameters', async () => {
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    10: import { SerperPrompts } from "./prompts/index.js";
    11: // Initialize Serper client with API key from environment
>>> 12: const serperApiKey = process.env.SERPER_API_KEY;
    13: if (!serperApiKey) {
    14:     throw new Error("SERPER_API_KEY environment variable is required");
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    73: ### Environment Variables
    74: 
>>> 75: Create a `.env` file in the root directory:
    76: 
    77: ```
Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ڽ�^zp��W�Z+a

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ������� i�'�*'

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: .+->�&��z���Ԝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: .+->�&��z���Ԝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ڽ�^zp��W�Z+a

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ڽ�^zp��W�Z+a

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: rX��բ�'��buJ�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: rX��բ�'��buJ�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ڽ�^zp��W�Z+a

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ڽ�^zp��W�Z+a

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    54:         }
    55:         try {
>>> 56:             const response = await fetch(`${this.baseUrl}/search`, {
    57:                 method: "POST",
    58:                 headers: {
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    85:         }
    86:         try {
>>> 87:             const response = await fetch("https://scrape.serper.dev", {
    88:                 method: "POST",
    89:                 headers: {
Report false positive
mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    23:     async search(params) {
    24:         try {
>>> 25:             const response = await fetch(`${this.baseUrl}/search`, {
    26:                 method: "POST",
    27:                 headers: {
Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

Scan History

DateRiskFindings
Feb 25, 2026critical22
Feb 23, 2026critical22
Feb 22, 2026critical22