ClawHub

Local Websearch 1

v1.0.0

Search the web using a self-hosted SearXNG metasearch engine aggregating multiple sources without API keys and returning JSON results.

0· 690·2 current·2 all-time
by@eg-yks
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims no required env vars or binaries in the registry metadata, but the SKILL.md metadata and the script require SEARXNG_URL and python3. Also the registry slug/ownerId differ from _meta.json values. These mismatches mean the declared purpose (local SearXNG search) is fine, but the declared requirements are incomplete/inconsistent.
Instruction Scope
SKILL.md and the included Python script stay within the stated purpose: they only call the user-provided SearXNG instance and return JSON. The script does not read arbitrary host files or access other credentials. However, the SKILL.md's command points to scripts/searxng_search.py while the provided file is searxng_search.py at the repository root — a runtime path mismatch that will break execution.
Install Mechanism
There is no install spec (instruction-only with an included script). No external downloads or package installs are requested, which is low risk. The script is plain Python and does simple HTTP requests.
!
Credentials
The only environment requirement needed by the script is SEARXNG_URL (and python3). Those are appropriate for a self-hosted SearXNG client, but the registry metadata does not declare them. That omission is a red flag because users won't be informed that the agent will send queries to whatever URL is set — which could be a remote endpoint of unknown trustworthiness.
Persistence & Privilege
No elevated persistence is requested. always is false and the skill does not modify other skills or system configuration. Autonomous invocation is enabled by default but is not combined with broad credentials or persistence here.
What to consider before installing
This skill's code appears to implement a straightforward SearXNG client, but the package metadata and runtime instructions are inconsistent. Before installing: (1) confirm the author fixes metadata (declare SEARXNG_URL and python3 as requirements and correct the command path to where the script actually lives), (2) verify the owner/slug in _meta.json matches the registry entry, and (3) only point SEARXNG_URL at a SearXNG instance you control or trust — the agent will send every search query there, so a malicious or public endpoint could receive private queries. If you cannot verify these fixes, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d52qwtrjw1458tngg6284wn815g31

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments