ultimate-search

Functionally, the skill is consistent with its stated purpose (dual-engine web search plus page fetch and site mapping). The primary security concerns are supply-chain and data-exfiltration risks stemming from reliance on unspecified local shell scripts and arbitrary URL fetching. Key risks: executing unverified helper scripts (command execution/transitive supply-chain risk), sourcing .env (possible credential exposure), and processing untrusted web content (prompt injection). There is no direct evidence of embedded malware or hardcoded malicious endpoints in this document, but the operational model (download/execute/forward data to third-party search services and arbitrary web fetch) is moderately risky. Mitigations: require signed/verified helper scripts, restrict domain allow-lists, avoid sourcing broad .env files (only pass explicit, minimal credentials), sandbox fetch/parsing, and require human confirmation for wide or privileged actions.