Local Websearch 1
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your search terms will be visible to the SearXNG instance you configure, and potentially to whatever upstream engines that instance uses.
The tool sends the search query to the configured SearXNG server. This is purpose-aligned and disclosed, but users should understand that queries leave the local agent and go to the configured endpoint.
url = f"{base_url}/search?{urllib.parse.urlencode(params)}" ... urllib.request.urlopen(req, timeout=30)Set SEARXNG_URL only to a SearXNG instance you trust, preferably one you operate or that has acceptable privacy controls.
The skill may fail to run as packaged or may not prompt users for the needed environment variable and Python binary.
The declared command points to scripts/searxng_search.py, but the supplied manifest lists searxng_search.py at the package root. SKILL.md also declares python3 and SEARXNG_URL while registry requirements list none. These are packaging/setup inconsistencies rather than evidence of malicious behavior.
command: python3 {baseDir}/scripts/searxng_search.pyBefore installing, verify the command path is corrected and ensure python3 is available and SEARXNG_URL is set.