Skills
skills/axot/agent-skills/ddg-search/Gen Agent Trust Hub

ddg-search

Warn

Audited by Gen Agent Trust Hub on Apr 15, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructions specify the use of npx --yes @oevortex/ddg_search@1.2.2 to download and run a package from the NPM registry. This package is a third-party dependency from a source that is not listed as a trusted vendor.
  • [COMMAND_EXECUTION]: The provided bash implementation uses eval to execute the npx command. Running shell commands defined as strings is a high-risk pattern that can be vulnerable to manipulation.
  • [PROMPT_INJECTION]: The skill ingests untrusted data from web search results and external AI synthesis engines. There are no boundary markers or sanitization routines mentioned to mitigate risks from malicious instructions embedded in search data. * Ingestion points: Search results from DuckDuckGo and AI answers from IAsk.ai and Monica AI. * Boundary markers: None present. * Capability inventory: Shell execution via npx and eval. * Sanitization: No sanitization or filtering logic is provided.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 15, 2026, 01:33 AM