ClawHub

DuckDuckGo(API)

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward DuckDuckGo search helper, with normal caution needed for external searches, proxy use, and installer commands.

Install only if you are comfortable with search queries being sent to DuckDuckGo/ddgs backends and any configured proxy. Review installer commands before running them, prefer trusted package sources, avoid searching secrets or proprietary data, and escape user-supplied query text when embedding this tool in shell workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation describes capabilities that use network access and environment variables, but the skill metadata does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: users or orchestration systems may approve or execute the skill without understanding that it can make outbound requests and consume proxy-related secrets from the environment.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes proxy usage via CLI and environment variables but does not warn that search terms, destination metadata, and potentially authentication credentials may be exposed to third-party proxy operators. In a search skill, this context increases sensitivity because user queries may contain confidential project names, incident details, or proprietary research topics.

External Script Fetching

Low
Category
Supply Chain
Content
```bash
# macOS/Linux
curl -LsSf https://astral.sh/uv/install.sh | sh

# Windows
powershell -c "irm https://astral.sh/uv/install.ps1 | iex"
Confidence
96% confidence
Finding
curl -LsSf https://astral.sh/uv/install.sh | sh

Chaining Abuse

High
Category
Tool Misuse
Content
```bash
# macOS/Linux
curl -LsSf https://astral.sh/uv/install.sh | sh

# Windows
powershell -c "irm https://astral.sh/uv/install.ps1 | iex"
Confidence
97% confidence
Finding
| sh

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal