duck prior to 0.10 did not properly handle loading of untrusted code from the current directory.
debian duck