Local Web Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward DuckDuckGo search helper; its main risk is that search queries are sent to an external search engine.

Safe for ordinary searches. Do not put secrets, credentials, private customer data, or confidential business details into search queries, because the query text is sent to DuckDuckGo. Treat returned snippets as untrusted web content and verify important claims from primary sources.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill performs outbound network access but does not declare permissions, which creates a transparency and policy-enforcement gap. Even though the documented behavior is limited to DuckDuckGo HTML search and the skill explicitly claims no exfiltration or external writes, undeclared network capability can still expose prompts, queries, or sensitive user-provided data to external services and bypass operator expectations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal