SearXNG Self-Hosted Search

Security checks across malware telemetry and agentic risk

Overview

This is a coherent instruction-only skill for using a self-hosted SearXNG search service, with setup choices users should review before exposing it on a network.

Before installing, decide whether the SearXNG service should be reachable only from your computer. For local-only use, bind Docker to 127.0.0.1, replace the placeholder secret key with a random value, and consider pinning the Docker image version instead of using latest. Remember that search terms pass through the configured SearXNG instance and the upstream search engines it queries.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The Docker setup and settings explicitly bind the SearXNG service to all interfaces (`0.0.0.0`) and the container port is published to the host, but the skill provides no warning that this may expose the search service beyond localhost. In context, this is a network-facing self-hosted service, so accidental exposure could allow unauthorized access, abuse of the instance, or information leakage about user queries and configuration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal