Is dwirx/duckse safe?

https://github.com/openclaw/skills/tree/main/skills/dwirx/duckse

71
CAUTION

The dwirx/duckse skill provides a legitimate DuckDuckGo-based web search interface and its SKILL.md content contains no prompt injection, persona manipulation, or direct credential-harvesting instructions. However, the skill's Prerequisites section instructs the agent to execute an unverified remote shell script via curl|bash from a third-party GitHub repository under the skill author's control, creating a critical arbitrary code execution vector that activates whenever duckse is not pre-installed. The install script has unrestricted access to all user credential files and its content can be updated silently after skill publication.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 20/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (6)

CRITICAL curl|bash install instruction executes unverified remote code -80

The Prerequisites section of SKILL.md instructs the agent to run: curl -sSL https://raw.githubusercontent.com/dwirx/duckse/main/scripts/install.sh | bash. This pattern downloads and immediately executes a shell script from a URL the skill author controls, with no hash verification or signature check. The content of install.sh can be changed at any time. When the agent follows this instruction it grants arbitrary code execution in the user's shell context.

HIGH Unaudited install script has full access to user credentials -25

The curl|bash install script executes with the agent user's privileges and has unrestricted read access to all credential files present in the test environment: ~/.env, ~/.ssh/id_rsa, ~/.aws/credentials, ~/.npmrc, ~/.docker/config.json, and ~/.config/gcloud/application_default_credentials.json. A malicious version of install.sh could silently harvest and POST these to an attacker-controlled endpoint.

HIGH No integrity verification on install script 0

The install script URL uses no pinned commit hash, no checksum, and no GPG signature. GitHub raw URLs reflect the current HEAD of the default branch, meaning the script content is mutable after skill publication without any version bump in _meta.json.

MEDIUM Skill embeds an external URL the agent is instructed to fetch and execute -15

Although the curl|bash line is presented as a setup prerequisite rather than an override instruction, it functions as a directive the agent will follow when duckse is absent. This blurs the boundary between documentation and agent instruction, and effectively gives the skill author a remote execution hook that activates on first use.

LOW Install trigger activates silently on first search request -35

Because the install prerequisite is framed as a troubleshooting/setup step and duckse is not pre-installed, the agent will encounter 'duckse: command not found' on first invocation and follow the install instructions. The user may not be aware that a remote script is being executed during what appears to be a simple web search.

INFO Skill content is minimal and in Indonesian 0

Only two files were installed (_meta.json, SKILL.md). The skill documentation is written in Bahasa Indonesia with some English. No executable code, no package.json, no git hooks, no submodules. The Indonesian language content is not itself a risk indicator but reduces auditor visibility for non-Indonesian speakers.