SearXNG (XiaoDing)

Security checks across malware telemetry and agentic risk

Overview

The search skill is mostly coherent, but it includes an under-disclosed Docker helper that can replace a local SearXNG container and leave a persistent host-networked service running.

Review before installing. Use only a trusted local SearXNG instance or a remote instance you are comfortable sending searches to, and avoid sensitive queries on public instances. Do not run run-searxng.sh unless you intentionally want it to remove any existing Docker container named searxng and start a persistent host-networked SearXNG container. For remote HTTPS use, consider enabling certificate verification.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill declares no permissions even though it clearly depends on environment variables and network access to query a SearXNG instance. Missing capability disclosure is dangerous because users and policy engines cannot accurately assess what the skill can access or where data may be sent.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script goes beyond a simple search helper and performs host-level Docker lifecycle management, configuration writes, and network-exposed service setup. In an agent skill context, this is risky because invoking the skill can alter local infrastructure state and create a persistent service without explicit user approval, increasing the blast radius if the skill is triggered unexpectedly or by prompt injection.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The checklist explicitly declares the skill publication-ready while also documenting that SSL verification is disabled 'by design.' Normalizing an insecure transport configuration without a prominent warning can mislead reviewers and users into deploying a tool that is vulnerable to man-in-the-middle attacks, especially when connecting to non-local or misconfigured SearXNG instances.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are broad, natural-language phrases that can easily appear in ordinary conversation, causing the skill to activate unexpectedly. In a skill that performs networked searches, unintended invocation can leak user queries or context to the configured search backend.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script unconditionally stops and removes a container named searxng and overwrites configuration directories without warning or confirmation. This can destroy an existing user deployment, erase custom settings, or disrupt other local services, which is unsafe behavior for a skill that appears to merely provide web search capability.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script launches a persistent container from a floating latest tag and exposes the service using host networking, while the generated configuration binds to 0.0.0.0 and disables rate limiting. Even with GRANIAN_HOST set to 127.0.0.1, the combination of externally reachable server settings, host networking, and silent image pull/run creates supply-chain and exposure risks that exceed the expected behavior of a search skill.

Shadow Command Trigger

Medium

Category: Trigger Abuse
Confidence: 90% confidence
Finding: The trigger 'search for' overlaps with a common built-in search command, creating a shadowing risk where users may invoke this skill when they intended a trusted native function. That can reroute queries to a different backend and change trust boundaries without the user realizing it.

Shadow Command Trigger

Medium

Category: Trigger Abuse
Confidence: 90% confidence
Finding: The trigger 'search web' is very close to generic built-in search behavior and can intercept routine user commands. Because this skill sends requests over the network to a configured instance, accidental activation may expose search terms to infrastructure the user did not intend to use.

Shadow Command Trigger

Medium

Category: Trigger Abuse
Confidence: 89% confidence
Finding: The trigger 'find information' collides with a generic built-in 'find' command pattern and is broad enough to match normal assistant interactions. This increases the chance of unintended network requests and unexpected behavior delegation to the skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal