Searxng
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill matches its stated purpose of querying a user-configured SearXNG instance, with only disclosed setup and privacy considerations to review.
Install only if you have or trust the SearXNG instance you configure. For best privacy, use a local instance, and be aware that the documented `uv run` workflow may resolve Python dependencies on first use.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
First use may install or resolve external Python packages, which introduces ordinary package-supply-chain trust considerations.
The script declares unpinned third-party Python dependencies that may be resolved when run with the documented `uv run` workflow. These dependencies are expected for HTTP requests and formatted output, but users should notice that package resolution is not pinned in the artifact.
# dependencies = ["httpx", "rich"]
Use a trusted Python/uv environment; maintainers could improve reproducibility by pinning dependency versions or publishing a lockfile.
If configured to use a remote or public SearXNG instance, search queries and returned results may be less protected against interception or tampering.
The skill sends search queries to the configured SearXNG endpoint and disables TLS certificate verification. This is disclosed as support for local self-signed certificates, but it matters if a user points the skill at a non-local HTTPS instance.
httpx.get(
f"{SEARXNG_URL}/search",
params=params,
timeout=30,
verify=FalsePrefer a local or trusted SearXNG instance; if using a remote HTTPS instance, consider enabling certificate verification in the script.