ClawHub

ddgs-search

Security checks across malware telemetry and agentic risk

Overview

This is a search helper whose network use, dependency install, and local wrapper are aligned with its stated web and arXiv search purpose.

Before installing, be aware that searches are sent to external services and that installation may add a local command wrapper in ~/.local/bin and install the ddgs Python package. Avoid using it for confidential queries unless you are comfortable with those third-party search providers receiving the query text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and instructs use of capabilities including network access, shell execution, environment-variable use, and file writing, but does not declare permissions for them. This creates a transparency and policy-enforcement gap: callers or orchestration systems may invoke the skill assuming it is low-privilege when it actually performs external access and local writes, increasing the chance of unintended data exposure or unsafe execution.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The installer performs package installation as a side effect, which expands the skill's capabilities beyond simple search behavior and introduces supply-chain and environment-modification risk. In the context of an agent skill, silently installing packages can be dangerous because it triggers network access and changes the user's Python environment without explicit consent.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script creates ~/.local/bin and copies an executable wrapper into it, modifying the user's filesystem and command environment outside the narrow search function advertised by the skill. This is risky in agent contexts because it establishes a persistent executable on the host, which is a broader capability than transient search execution.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The README advertises web and arXiv search capabilities but does not disclose that user queries are transmitted to third-party search providers and the arXiv API. In an agent context, users may submit sensitive prompts, internal identifiers, or proprietary research topics, so the lack of an explicit external-data-sharing warning can cause unintentional privacy leakage.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The install flow performs network-dependent pip installation without an upfront warning, which can surprise users and expose them to dependency download risk. In an agent skill setting, undisclosed network actions are more concerning because users may expect a search tool, not an installer that reaches out to package repositories automatically.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Writing an executable wrapper into ~/.local/bin without prior disclosure is a meaningful persistence and filesystem-modification action. Even if intended for convenience, undisclosed installation of executables is risky because it alters future command behavior and may be unexpected in a search-focused skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal