Dataify Duckduckgo Search

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Dataify DuckDuckGo search skill, but it handles a Dataify API token in a way users should review before installing.

Install only if you are comfortable sending search queries to Dataify and using a Dataify API token. Prefer setting DATAIFY_API_TOKEN in a controlled environment or using an interactive secret prompt rather than passing the token as --token in a shell command, and make sure the preview/confirmation step is followed before any search request.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill invokes a local Python script that reads secrets from the environment and performs outbound network requests, yet it declares no permissions. This creates a capability mismatch that can bypass user and platform expectations about what the skill is allowed to access, especially since it may transmit a provided or environment-sourced API token during external requests.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal