Skills
skills/liangdabiao/bright-data-mcp-claude-skill-deep-research/ducksearch/Gen Agent Trust Hub

ducksearch

Warn

Audited by Gen Agent Trust Hub on Apr 2, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses npx -y ducksearch and npm install -g ducksearch to retrieve and install software from the public npm registry.
  • [REMOTE_CODE_EXECUTION]: Use of npx -y allows for the automatic download and execution of the ducksearch package from the remote npm registry.
  • [COMMAND_EXECUTION]: The skill relies on shell command execution for its core functionality, including searching the web and fetching content.
  • [PROMPT_INJECTION]: The skill ingests untrusted data from external websites, creating a surface for indirect prompt injection where malicious content could influence agent behavior.
  • Ingestion points: Web content retrieved via the fetch command or UrlContentExtractor tool (SKILL.md).
  • Boundary markers: Absent. The instructions do not define delimiters to separate fetched content from the prompt context.
  • Capability inventory: The skill can execute shell commands via npx (SKILL.md).
  • Sanitization: Absent. No filtering or sanitization of retrieved web content is specified.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 2, 2026, 03:46 AM