Duckduckgo Websearch

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward DuckDuckGo web search helper that sends user search terms to DuckDuckGo and returns parsed results.

Install this if you want a DuckDuckGo-based search helper. Avoid including sensitive private data in search queries because queries are sent to DuckDuckGo, and treat snippets and links as untrusted web content. Be aware that Node and npm dependency installation may be needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The frontmatter description and trigger language are broad enough to match a wide range of ordinary web-help requests, which can cause this skill to activate in situations better handled by a more specific or safer tool. Over-broad activation increases the chance of unnecessary external web access, unintended data exposure in queries, and incorrect tool selection across many common user prompts.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The "When to use" section uses ambiguous activation conditions like "any task requiring quick web lookup," which is overly inclusive and can capture many unrelated requests. In an agent environment, ambiguous routing logic can lead to over-invocation of a networked skill, causing privacy, policy, and reliability risks even if the skill itself is not overtly malicious.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal