ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Searx Search

Provides web search using free SearX instances from https://searx.space/. Trigger when a user asks to search the web or wants the latest AI news and global e...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 91 · 0 current installs · 0 all-time installs
by@fikacode
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code implements web search via public SearX instances, which fits the skill description. However the skill does not declare required runtime binaries even though the script depends on external tools (node, curl, grep, sed). That mismatch between declared requirements (none) and actual dependencies is an incoherence.
!
Instruction Scope
Instructions and the script perform network requests to fetch an instance list and then send the user's query to third‑party SearX instances. This is expected for a search skill, but it means user queries are transmitted to arbitrary public instances (privacy/leakage risk). There are also implementation inconsistencies: SKILL.md claims up to 3 attempts/instances, while the script slices up to 20 and allow up to 10 attempts (MAX_ATTEMPTS=10).
Install Mechanism
No install spec is provided (instruction-only plus an included script). Nothing is downloaded during installation. Runtime network calls occur when the script runs, which is expected for a web-search tool.
Credentials
No credentials or environment variables are requested, which is appropriate. However the script implicitly requires network access and the node and curl binaries; those are not declared in metadata. Also consider the privacy implication that queries are sent to third‑party servers.
Persistence & Privilege
Skill is user-invocable and not always-enabled. It does not modify other skills or system configuration. No elevated persistence is requested.
What to consider before installing
This skill does what it says (searches via public SearX instances), but review these points before installing: - Dependency mismatch: The script calls node and curl (and uses grep/sed). Ensure those binaries exist on the agent environment; the skill metadata does not declare them. - Privacy: Your search queries are sent to public SearX instances chosen at runtime. That can leak sensitive queries to third parties. If you need confidentiality, don’t use this skill or configure it to use a trusted instance or proxy. - Implementation inconsistencies: The README promises up to 3 instances/attempts but the script may consider up to 20 instances and allows up to 10 attempts. That could affect behavior/rate limiting. - If you proceed, inspect or modify the script to restrict the instance list to trusted endpoints, and add explicit dependency metadata for node/curl so you know the runtime requirements. If you want a higher-confidence assessment, provide the agent environment details (are node and curl available?) and confirm whether you accept transmitting queries to arbitrary public instances.
!
scripts/search_searx.sh:22
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97abjg9eenpbegg7wf4bphxw9837jy3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

SearX Search Skill

Overview

Search the web via a free SearX instance. Use when a user requests "search ...", "最新 AI 新闻", or "全球大事". The skill returns plain text results without HTML.

Execution

The scripts/search_searx.sh script takes a search query as its argument and performs the steps:

  1. Download the JSON list of public instances from https://searx.space/data/instances.json.
  2. Extract up to three reachable instance URLs.
  3. For each instance (max 3 attempts):
    • Send a GET request to <instance>/search?q=<query>&format=json.
    • If the HTTP status is 200 and a non‑empty result is returned, output the titles and URLs of the first 5 results, one per line, then exit successfully.
    • If the request fails, continue with the next instance.
  4. If all attempts fail, output 搜索失败,请稍后重试。.

The script prints only plain text, suitable for direct user consumption.

Usage

./scripts/search_searx.sh "最新 AI 新闻"

Will output something like:

Title 1 - https://example.com/...
Title 2 - https://example.org/...

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…