A lightweight, API-key-free web search skill based on DuckDuckGo and Trafilatura. Returns highly relevant URLs and clean markdown content.
Security Analysis
high confidenceThe skill's code and instructions match its stated purpose (scraping DuckDuckGo results and extracting page bodies with trafilatura); nothing requested or installed is disproportionate or unexplained.
The name/description say it uses DuckDuckGo + trafilatura and returns cleaned markdown — the included script implements exactly that by requesting html.duckduckgo.com and using trafilatura.extract. Minor mismatch: SKILL.md suggests installing the 'duckduckgo-search' package, but the script scrapes DuckDuckGo HTML directly rather than importing that library; this appears to be a benign inconsistency (documentation vs implementation), not a capability mismatch.
SKILL.md is explicit: install trafilatura and use the script. The runtime instructions and script perform network requests to DuckDuckGo and to the target webpages and return the extracted markdown. This is within the stated purpose, but note that the skill will fetch arbitrary third-party pages and return their content (expected for a search/ extraction tool) — users should be aware it may download content from sites they query (including potentially private or malicious pages if given such URLs).
No install spec is embedded in the registry (instruction-only), so nothing is written to disk by the platform. SKILL.md asks the user to pip install dependencies (standard practice). The pip recommendation includes 'duckduckgo-search' even though the script does not use that package — a minor documentation mismatch but not an install-time risk from the registry itself.
The skill requests no environment variables, no credentials, and no config paths. The operations (HTTP GET to DuckDuckGo and to result URLs) do not require secrets; the requested privileges are proportional to the described functionality.
The skill is not configured as always: true and does not request persistent or cross-skill configuration. It can be invoked by the agent normally. Nothing here indicates elevated platform privileges or unexpected persistence.
Guidance
This skill appears to do what it says: scrape DuckDuckGo HTML for result links and run trafilatura to extract page bodies as markdown. Before installing, consider: (1) run it in a sandboxed environment since it fetches arbitrary web pages you query; fetched pages can contain malicious or sensitive content; (2) audit or pin dependency versions (trafilatura) before installing via pip; (3) be aware the SKILL.md suggests installing 'duckduckgo-search' but the script doesn't use that package — the doc mismatch is not malicious but you may omit that install; (4) if you will run this unattended or let an agent invoke it autonomously, limit queries to safe domains and monitor network usage. If you need higher assurance, review the script (scripts/search.py) yourself or run it with network restrictions.
Latest Release
v1.0.0
Initial release of Pure Search: - Lightweight web search tool using DuckDuckGo and Trafilatura. - No API keys required; zero configuration needed. - Returns highly relevant URLs with main content extracted as clean Markdown. - Outputs structured JSON with titles, URLs, and markdown bodies. - Simple setup and usage with a single Python script.
Popular Skills
Published by @cyecho-io on ClawHub
