DuckDuckGo Search

This skill appears to implement the advertised search and fetch functionality but has some sloppy documentation and a few security considerations you should weigh before installing: - Missing declared dependency: ddg_search.py has a curl-based fallback (subprocess.run('curl', ...)) but the skill metadata does not declare 'curl' as required. Ensure 'curl' is present if you rely on the fallback or remove that code path. - Extraneous pip instruction: SKILL.md recommends 'pip3 install duckduckgo-search' even though the included scripts don't import that package. That likely harmlessly confuses install steps — you can omit it. - Unrestricted URL fetching (SSRF/privacy risk): ddg_fetch.py will fetch any URL you give it (and the skill could be invoked autonomously). If the agent runs in an environment that can reach internal services or metadata endpoints, this could be abused to access internal resources. Consider restricting allowed hosts, adding allow/deny rules, or running the skill in a sandboxed environment. - Review outputs and network behavior: the scripts only print JSON to stdout (no hidden external endpoints), but verify network traffic from the host when running the skill and consider rate-limiting or timeouts. If you want to proceed: (1) run the scripts in a controlled/sandboxed environment first; (2) update SKILL.md to accurately list requirements (or remove the pip line); and (3) consider adding host whitelisting or checks to prevent accidental fetching of internal IP ranges (e.g., 127.0.0.0/8, 10.0.0.0/8, 169.254.0.0/16, 192.168.0.0/16). If you want, I can produce a patched version of ddg_fetch.py that rejects private IPs and hostnames before fetching.