Ddg Search Fetch
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent DuckDuckGo web search and page-fetching skill with no credentials or persistence, but users should notice its broad URL fetching and manual third-party package install instructions.
This skill appears suitable for web search and page fetching without API keys. Before installing, be aware that it asks you to manually install an unpinned Python package and that the fetcher can request arbitrary URLs; avoid using it on private/internal URLs unless you intend that, and treat fetched page text as untrusted web content.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is asked to fetch a private or internal URL, the tool may retrieve content outside ordinary public web search scope.
The fetch tool accepts a user-supplied URL and only checks for a network location before requesting it; the artifact does not restrict schemes or private/internal hosts.
parser.add_argument("url", help="URL to fetch") ... if not parsed.netloc: ... req = urllib.request.Request(url, headers={...})Use this fetcher for intended public web URLs, and consider adding HTTP(S)-only and private-network/localhost blocking if it will run in sensitive environments.
Installing an unpinned package can expose the environment to normal package-supply-chain risk or version drift.
The skill instructs a manual installation of an unpinned third-party Python package, while the registry install spec is absent.
pip3 install duckduckgo-search
Install dependencies from a trusted package index, preferably with a pinned version in an isolated environment.
A webpage could contain misleading or instruction-like text; the agent should not treat fetched content as authoritative commands.
Fetched webpage text and partial HTML are returned as tool output, which may then be included in the agent's working context.
result["text"] = text result["content"] = main_content[:5000]
Treat fetched web content as untrusted reference material and verify important claims before acting on them.