ddgs (DuckDuckGo Search)

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward DDGS web-search skill, with the main caveat that search queries go to external services.

Install only from the expected ddgs package source, preferably in a virtual environment. Do not search for secrets, credentials, confidential prompts, or sensitive internal identifiers, because the query and related network metadata may be visible to search providers or configured proxies.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill promotes web search and privacy-friendly behavior but does not clearly warn that user queries, IP/proxy information, timing, and other metadata are transmitted to external search backends and intermediaries. In an agent setting, this can lead to unintended disclosure of sensitive prompts, internal identifiers, or user data if operators assume the skill is local-only or privacy-preserving.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal