Back to skill

Security audit

Performs web searches using DuckDuckGo to retrieve real-time information from the internet. Use when the user needs to search for current events, documentation, tutorials, or any information that requires web search capabilities.

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward DuckDuckGo search skill with expected network search behavior and only minor setup and local-output cautions.

Install this if you are comfortable with the agent installing and running the duckduckgo-search Python package. Do not put secrets, confidential business details, or sensitive personal information into search queries, and be aware that the optional save-results example can leave query and result artifacts on disk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill is scoped as a web-search capability, but the documentation includes a script that writes search results to a local JSON file. In an agent setting, adding filesystem write behavior expands the skill's effective capability beyond search/retrieval and can enable unintended local data persistence, overwriting files, or leaving sensitive query/results artifacts on disk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.