Skills
skills/sundial-org/awesome-openclaw-skills/ddg-search/Gen Agent Trust Hub

ddg-search

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • Indirect Prompt Injection (LOW): The skill processes untrusted data from the DuckDuckGo API and returns it directly to the agent.
  • Ingestion points: DuckDuckGo API response in scripts/search.sh via curl.
  • Boundary markers: Absent; search results are echoed without delimiters or warnings.
  • Capability inventory: curl, jq, and python3 for processing data.
  • Sanitization: Absent; content is extracted from JSON and echoed.
  • External Network Access (LOW): The script connects to api.duckduckgo.com using curl. While this is the intended purpose of the skill, it involves communication with a non-whitelisted domain.
  • Command Execution (SAFE): The skill uses bash and python3 -c for URL encoding and processing. These operations are performed on the user's input query or locally and do not involve remote code execution or privilege escalation.
  • Metadata Mismatch (SAFE): The SKILL.md file references a search.py script, but the provided implementation is scripts/search.sh. This appears to be a documentation error rather than a deceptive practice.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:13 PM