Is web-search safe?

https://clawhub.ai/billyutw/web-search

85
SAFE

This is a straightforward web search skill that wraps DuckDuckGo's search API via a clean Python script. The code contains no malicious patterns — no obfuscation, no credential access, no hidden instructions, no shell execution. The primary risks are inherent to any web search tool: queries leave the machine (sent to DuckDuckGo), the pip dependency introduces a supply chain surface, and search results could contain adversarial content for indirect prompt injection.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (7)

MEDIUM Third-party pip dependency installation -20

The skill instructs the agent to run 'pip install duckduckgo-search', which pulls a third-party package from PyPI. While the duckduckgo-search package is a well-known legitimate library, pip packages can contain arbitrary install-time code (setup.py/pyproject.toml build hooks). This creates a supply chain risk if the package were ever compromised.

MEDIUM Search queries sent to external service -20

All search queries are transmitted to DuckDuckGo's servers. While this is the intended and expected behavior of a web search skill, users should be aware that their search terms (which may contain sensitive context from conversations) leave the local environment. The duckduckgo-search library communicates with DuckDuckGo's API endpoints.

LOW Agent executes Python with user-controlled arguments -15

The skill instructs the agent to run 'python scripts/search.py ""' where the query comes from user input. While the argparse-based CLI properly handles arguments and the script contains no eval() or shell execution, the pattern of the agent executing scripts with user-derived input is a surface worth noting.

LOW Arbitrary file write via --output flag -10

The --output flag allows writing search results to any writable filesystem path. While this is standard CLI behavior and the script only writes search results (not existing file contents), an agent could be manipulated into writing to sensitive paths. The script uses Path.parent.mkdir(parents=True) which creates intermediate directories.

LOW Indirect prompt injection via search results -15

Web search results could contain adversarial content designed to manipulate the LLM agent processing them. This is a general risk of any web search tool, not specific to this implementation, but worth noting as search results are fed back into the agent's context.

INFO Clean SKILL.md with no hidden instructions -5

The SKILL.md file is straightforward documentation for a search tool. No hidden unicode characters, no instruction overrides, no persona manipulation, no attempts to access credentials or sensitive data. The skill stays within its stated scope.

INFO Filesystem monitoring shows benign system activity only 0

The filesystem events log shows standard system library loading (ld.so.cache), OpenClaw agent initialization, and jiti cache file creation. These are all from the host environment's agent runtime, not from the skill itself. The .env and .aws/credentials reads are from the OpenClaw agent process, not the skill code.