Back to skill

Security audit

DuckDuckGo Web Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward DuckDuckGo search helper whose main risk is that search queries are sent to an external search service.

Install this only if you want the agent to perform external DuckDuckGo searches. Avoid putting secrets, credentials, private identifiers, or confidential internal text in search queries, and prefer installing the Python dependency in a virtual environment rather than changing system Python packages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description includes broad activation cues such as 'look something up,' 'research a topic,' and fallback use whenever another web search tool is unavailable. This can cause over-selection of the skill in situations where web access is unnecessary or where a more constrained tool should be preferred, increasing the chance of unintended external requests and expansion of the agent's attack surface.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.