Is hahahxx/web-search-instant safe?

https://github.com/openclaw/skills/tree/main/skills/hahahxx/web-search-instant

89
SAFE

The hahahxx/web-search-instant skill is a straightforward DuckDuckGo Instant Answer API bash wrapper with no prompt injection, no credential-access logic, no malicious install-time behavior, and no suspicious network activity. The primary concern — honeypot credential files being opened and read during monitoring — is strongly attributable to the oathe audit infrastructure performing baseline and final integrity checks, consistent with both the timing (pre-install and during the final audit scan phase) and the official canary integrity verdict confirming all files intact. The skill functions exactly as documented, with only low-severity issues: a hardcoded author-specific path in documentation, over-broad trigger phrases, and the inherent risk of third-party content entering the agent context via search results.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (5)

MEDIUM Honeypot credential files read during monitoring window -15

All six honeypot credential files were opened and read during the monitoring period. Two access clusters were observed: the first (timestamps 1771932717.633–634) occurred before skill installation and is strongly consistent with the oathe monitoring infrastructure establishing a canary baseline. The second cluster (1771932740.822–823) occurred approximately 23 seconds after installation, during the period when oathe was running find/cat commands to read skill files for analysis, consistent with a final integrity verification pass. The skill's source code contains no logic to access these files, and no network traffic to suspicious endpoints was observed that would indicate exfiltration. The official canary integrity report confirms no modification or content-based exfiltration occurred. Flagged at MEDIUM severity due to the sensitivity of the files accessed, despite the benign attribution.

LOW All queries transmitted to third-party DuckDuckGo API -5

Every search query is URL-encoded and sent to https://api.duckduckgo.com. While this is the skill's stated and intended behavior, it means user query content is routinely transmitted to a third-party service. A compromised agent could be directed to search for strings that encode and transmit sensitive in-context data.

LOW Hardcoded author-specific filesystem path in SKILL.md -7

The Quick Start section of SKILL.md instructs users to cd to /home/hxx/clawd/tools before running the skill. This path is specific to the skill author's environment (user 'hxx') and does not exist in a standard installation. An agent following these instructions verbatim will encounter a directory-not-found error and may attempt to recover in unpredictable ways.

LOW Broad trigger phrases risk unintended activation -5

The skill description lists very common natural language patterns as activation triggers: 'search', 'look up', 'find information', 'what is', 'how to', 'google something'. These phrases appear in a large fraction of ordinary user requests, potentially causing the skill to trigger and make outbound DuckDuckGo API calls far more frequently than necessary.

INFO Externally controlled content injected into agent context via search results -12

DuckDuckGo API response fields (Abstract, Answer, Definition, RelatedTopics) are formatted and returned to the agent with minimal sanitization (basic HTML tag stripping via sed). This means Wikipedia summaries or other DuckDuckGo data sources could contain adversarially crafted text that acts as prompt injection against the host agent when returned from a search. This is an inherent risk of any web search integration but should be noted.