ClawHub
Back to skill
v1.0.0

Duckduckgo Search

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:49 AM.

Analysis

This skill appears to do the advertised DuckDuckGo web search, with no credentials or persistence, but it sends search terms to DuckDuckGo and returns untrusted web snippets.

GuidanceThis looks like a straightforward DuckDuckGo search helper. Before installing, remember that queries are still sent to DuckDuckGo, privacy depends on that external service, and returned web snippets should be treated as untrusted information rather than instructions.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack
SeverityInfoConfidenceHighStatusNote
scripts/duckduckgo_search.py
output += f"## {i}. {title}\n\n" ... output += f"{snippet}\n\n"

The script formats externally retrieved search titles and snippets into Markdown for the agent or user to read.

User impactA malicious or misleading web result could include text that tries to influence the agent if the agent treats result content as instructions.
RecommendationTreat search titles, snippets, and URLs as untrusted web content and verify important claims before acting on them.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none

The package provides visible source code and no automatic install step, but the registry metadata does not identify an upstream source or homepage.

User impactIt is harder to verify the publisher or upstream project history before trusting the skill.
RecommendationReview the included code and install only if you trust the registry publisher; a future version should provide clear source/homepage provenance.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/duckduckgo_search.py
self.base_url = "https://duckduckgo.com/html/"; self.json_api_url = "https://api.duckduckgo.com/"; params = {"q": query}

The search query is sent to DuckDuckGo endpoints as part of the skill's normal operation.

User impactSearch terms leave the local environment and are visible to the external search provider and normal network path, even though this is expected for a web search tool.
RecommendationDo not include passwords, tokens, private personal details, or confidential business information in search queries unless that disclosure is acceptable.