Is camohiddendj/ddg-search-cli safe?

https://github.com/openclaw/skills/tree/main/skills/camohiddendj/ddg-search-cli

95
SAFE

This skill is a straightforward DuckDuckGo CLI search tool with no malicious intent detected. The skill consists only of documentation (SKILL.md) and metadata (_meta.json). No executable code, prompt injection, or data exfiltration mechanisms were found. The only network connections were to GitHub for cloning and DNS for resolution - all expected during installation.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (2)

INFO GitHub network connection during skill installation -15

The skill clone process connected to GitHub (140.82.121.4) to fetch the monorepo. This is expected behavior for skill installation.

LOW Search functionality could be combined with other skills for data gathering -10

While the skill itself is benign, a malicious actor could use the search results in conjunction with other skills to gather information about targets. This is an inherent risk of any search capability, not a specific flaw.