Security audit

Multi-Web-Search | 多引擎网页搜索

Security checks across malware telemetry and agentic risk

Overview

This is a coherent web-search skill, but users should treat searches and installation as external network activity despite some unclear privacy wording.

Install only if you want the agent to perform external web searches. Do not include passwords, API keys, private customer data, internal URLs, or regulated information in queries; use --no-cache for sensitive searches, choose search engines and proxies deliberately, and review install.py before running it because it may install ddgs and contact external services.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The skill claims '本地缓存：仅存本地，无远程传输' while the rest of the document clearly instructs sending user queries to third-party search engines, optional proxies, and remote fetching via web_fetch. This is a real privacy/security documentation flaw because users and calling agents may make risk decisions based on a false assertion that no remote transmission occurs.

Intent-Code Divergence

Low

Confidence: 86% confidence
Finding: The docstring claims the installer installs an optional package and verifies scripts are runnable, but later the script performs live search tests that exercise network-backed functionality. This mismatch can mislead users and automated tooling into running code that makes outbound requests they did not expect during installation.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are very broad and include common requests such as '搜索网页', '帮我搜', '技术文档', and '最新新闻', which can cause the skill to activate in many ordinary contexts. In an agent environment, overbroad activation increases the chance that user prompts containing sensitive information are automatically routed to external services without clear intent or informed consent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The documentation omits a clear warning that user queries may be sent to third-party search engines and optional proxy infrastructure, despite the skill's core behavior depending on exactly that. This is dangerous because users may unknowingly disclose proprietary, personal, or regulated information to external parties, and the optional proxy path adds another disclosure surface.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The installer automatically runs pip install --user ddgs, which modifies the user's environment and performs network activity without prior confirmation. In an agent-skill context, unattended dependency installation increases supply-chain and environment-integrity risk because it fetches and executes package installation logic from external sources.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The installer launches quick tests that perform real search requests, causing outbound network traffic during installation without explicit opt-in. In a skill context, that is more dangerous because installation is often assumed to be local-only; unexpected network access can leak environment metadata, violate policy, or surprise sandboxed/automated deployments.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal