Security audit

Ddgr Search

Security checks across malware telemetry and agentic risk

Overview

This is a simple web-search wrapper for ddgr, with the main caveat that searches leave the local machine and depend on a local ddgr install.

Install only if you trust the local ddgr executable and are comfortable sending search terms to the external search provider it uses. Do not search for passwords, tokens, private project names, customer data, or other sensitive information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 96% confidence
Finding: The skill sends user-provided search queries to an external web service through `ddgr`, but the description does not warn users that their input leaves the local environment. This can expose sensitive prompts, internal project names, credentials, or investigative activity if users assume the tool is purely local or do not realize searches are transmitted to a third party.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.