Web Search Instant
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anything the agent searches for may be shared with DuckDuckGo as part of the API request.
The script sends the user’s search query to DuckDuckGo’s API. This is disclosed and purpose-aligned, but search terms may contain private or sensitive information.
API_BASE="https://api.duckduckgo.com" ... RESPONSE=$(curl -sL --max-time 10 "$API_URL")
Avoid putting secrets or private personal data into search queries, and consider adding explicit metadata that declares external network/API use.
The skill may fail unless curl or wget is available, and users may need to install optional parsing tools manually.
The runnable script depends on local binaries, while the registry metadata declares no required binaries. This can cause installation/runtime confusion but does not show hidden or malicious behavior.
if command -v curl &> /dev/null; then ... elif command -v wget &> /dev/null; then ... else ... "Error: Neither curl nor wget is installed"
Declare curl or wget as required dependencies and document jq/python3 as optional or fallback dependencies in metadata.