Oathe Security Badge

Is Nex-ZMH/Agent-websearch-skill safe?

https://github.com/Nex-ZMH/Agent-websearch-skill

91
SAFE

This is a legitimate multi-engine search skill that provides search functionality across DuckDuckGo, Tavily, and Bing APIs with automatic failover and quota management. The code appears well-structured and does what it claims to do without evidence of malicious behavior.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

MEDIUM Executable Python Code Present -20

The skill contains executable Python code that will run in the agent environment, which inherently carries execution risk despite appearing legitimate.

LOW External Network Requests -10

Skill makes HTTP requests to external search services, which could potentially be used for data exfiltration if modified.

LOW API Key Configuration Required -15

Skill requires configuration of potentially sensitive API keys through environment variables or config files.

INFO Chinese Language Content -5

SKILL.md contains Chinese text descriptions alongside English, which is normal for international developers but noted for completeness.