Deep Research Pro
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent web-research skill, but it uses shell-based web search/fetching, optional sub-agent handoff, and has some documentation/provenance inconsistencies users should verify.
This skill appears safe for ordinary web research. Before installing or using it, verify the DuckDuckGo helper path exists, avoid including highly sensitive topics unless you are comfortable sending search queries to the web, and review any standalone CLI scripts or remote repositories before running them.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or prompt-injected webpage could try to influence the agent's behavior or report content.
The skill intentionally brings untrusted web-page text into the agent's context for synthesis; this is expected for research, but the agent should not treat page text as instructions.
Read 3-5 key sources in full for depth. Don't just rely on search snippets.
Treat fetched webpage content only as source material, verify claims across sources, and ignore any instructions embedded in webpages.
Research topics and selected URLs will be sent to external web services, and unsafe shell interpolation could cause unintended command behavior.
The skill uses shell commands with user-derived research queries and later curl commands for URLs; this is central to the research purpose but should be carefully quoted and scoped.
/home/clawdbot/clawd/skills/ddg-search/scripts/ddg "<sub-question keywords>" --max 8
Use safe argument passing or strict quoting for search terms and URLs, and confirm before fetching unusual or sensitive URLs.
A user who follows the manual CLI instructions may run code or dependencies not present in the reviewed artifact set.
The README points to a remote manual-install source and auto-installing CLI dependencies, while the supplied package is instruction-only and the listed homepage uses a different GitHub owner.
git clone https://github.com/parags/deep-research-pro.git ... The script is self-contained — dependencies install automatically on first run.
Verify the intended repository, review any scripts before running them, and prefer the reviewed registry package unless you specifically need the standalone CLI.
If used, another agent session may receive the research context and write a report file, which could expose sensitive research topics if the user includes them.
The skill documents an optional sub-agent workflow that passes the research request and context to another agent and asks it to report back.
sessions_spawn(... task: "Run deep research on [TOPIC]... When done, wake the main session with key findings.", label: "research-[slug]", model: "opus")
Only spawn sub-agents for non-sensitive research or explicitly limit the context shared with the sub-agent.