nickclyde/duckduckgo-mcp-server

Minor capabilities, nothing alarming.

Outbound network 2

Environment variables (config / keys) 1

AI review

This is a straightforward DuckDuckGo search MCP server with no hidden instructions, prompt injection vectors, or data exfiltration mechanisms. The code only reads the DDG_SAFE_SEARCH and DDG_REGION environment variables for configuration purposes and does not transmit them anywhere.

low Environment variable usage is legitimate — The server reads DDG_SAFE_SEARCH and DDG_REGION from environment variables, but only uses them locally to configure SafeSearch filtering and region settings for DuckDuckGo searches. No exfiltration or transmission of these values occurs.
low Network access is within stated purpose — The server makes HTTP requests to DuckDuckGo's HTML endpoint for searches and fetches user-specified URLs for content extraction. The curl backend option is an opt-in feature for bypassing bot detection, not a hidden mechanism.

Model: deepseek-chat

Static findings

Outbound network · Makes outbound network requests

info README.md:140 # Force curl for every fetch (requires the [browser] extra)

low src/duckduckgo_mcp_server/server.py:420 url: The full URL of the webpage to fetch (must start with http:// or https://).

Environment variables (config / keys) · Reads environment variables (config / API keys)

low src/duckduckgo_mcp_server/server.py:369 SAFE_SEARCH_MODE = os.getenv("DDG_SAFE_SEARCH", "MODERATE").upper()

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.