Is duckduckgo-search safe?

https://clawhub.ai/10e9928a/duckduckgo-search

62
CAUTION

This DuckDuckGo search skill is functionally legitimate but requests dangerously broad tool permissions (Bash(python:), Bash(pip:), Bash(uv:*)) that grant arbitrary code execution and package installation far beyond what a search wrapper requires. No active malicious behavior was detected during the audit — no outbound connections, no canary tampering, and no hidden prompt injection — but the excessive permissions create a significant attack surface that could be exploited through prompt injection via search results, supply-chain attacks via pip, or future skill updates.

Category Scores

Prompt Injection 55/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 45/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (9)

HIGH Overly broad Bash(python:*) permission grants arbitrary code execution -35

The skill requests Bash(python:*) in its allowed-tools, which permits the agent to execute any Python code. This is far beyond what a DuckDuckGo search wrapper requires. An attacker (or a prompt injection via search results) could leverage this to run malicious Python code with full user privileges.

HIGH Bash(pip:*) and Bash(uv:*) allow installing arbitrary packages -20

The pip and uv tool permissions allow installing any package from PyPI. Malicious packages with postinstall scripts could execute arbitrary code. An agent could be tricked into installing a typosquatted or malicious package.

MEDIUM Excessive tool permissions beyond stated purpose -25

A skill that claims to 'perform web searches using DuckDuckGo' should not need arbitrary Python, pip, or uv execution. The broad permissions represent a privilege escalation beyond the skill's stated functionality, effectively granting a code execution backdoor under the guise of a search tool.

MEDIUM Skill content in non-English language reduces auditability -10

The entire SKILL.md is written in Chinese. While not malicious in itself, this reduces the ability of English-speaking users and automated scanners to quickly identify potentially harmful instructions embedded in the documentation.

MEDIUM Arbitrary Python execution enables data exfiltration paths -25

With Bash(python:*) permissions, the agent could be instructed (via prompt injection in search results or skill updates) to read sensitive files and exfiltrate data through HTTP requests, DNS queries, or encoded in search parameters.

MEDIUM Sensitive file reads detected during clone phase -15

Filesystem monitoring detected reads of .env, .aws/credentials, and OpenClaw configuration files during install. While likely attributable to the OpenClaw runtime rather than the skill itself, the .aws/credentials read warrants attention.

LOW Cross-skill chaining reference to browser-use -10

The skill explicitly documents integration with 'browser-use' tool, suggesting a pattern where search results feed directly into browser automation. This chain could be exploited if a malicious search result URL is opened in an authenticated browser session.

INFO No outbound network activity during install 0

The skill installation produced no network connections, which is positive. The duckduckgo-search package was resolved from a local or cached registry.

INFO All honeypot files intact 0

No canary files were accessed or modified, indicating no active credential harvesting during the audit window.