Ddg Web Search.Local.Bak 20260415 020609

Security checks across malware telemetry and agentic risk

Overview

This is a simple DuckDuckGo search helper with an underdocumented optional browser-opening flag, but no evidence of credential access, persistence, exfiltration, or destructive behavior.

Install only if you are comfortable sending search queries to DuckDuckGo. Use the normal documented command to print results, and avoid the --open flag unless you intentionally want a local browser opened to a returned URL.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: ] for cmd in cmds: try: subprocess.Popen(cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) return cmd[0] except Exception: continue
Confidence: 95% confidence
Finding: subprocess.Popen(cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill advertises executable behavior that uses shell and network access but does not declare permissions, which weakens policy enforcement and informed consent around what the skill can do. In an agent environment, undeclared capabilities make it easier for a seemingly simple search skill to perform broader actions than operators expect.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented behavior says the skill performs concise lookups via the DuckDuckGo instant answer API, but the underlying implementation reportedly also scrapes HTML search results and can open URLs in a local browser. That mismatch is dangerous because users and orchestrators may approve a low-risk lookup tool while it actually has browser-launch and broader web interaction capabilities, increasing the chance of unexpected navigation, tracking, or execution chains.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill description promises lightweight DuckDuckGo instant-answer behavior, but the implementation silently falls back to scraping full web search results from DuckDuckGo HTML pages. This expands the data source and behavior beyond what a caller would reasonably expect, increasing privacy, compliance, and trust risks because user queries are sent to additional endpoints and broader search results are processed. The mismatch is especially problematic for agents that rely on accurate capability declarations to make safe tool-use decisions.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The skill can launch a local browser/application to open URLs, which exceeds the stated purpose of returning concise search results. Because the URL comes from remote content, this can trigger navigation to attacker-controlled pages or invoke system handlers via `xdg-open`, creating unnecessary execution-adjacent behavior on the host. In a tool/agent environment, such side effects are dangerous because they turn a read-only search utility into one that can affect the local system state.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal