Searx Search
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent SearX web-search wrapper, with minor disclosure notes because user queries are sent to public third-party instances and the code can retry more instances than the description says.
This skill appears safe for ordinary web searches, but avoid using it for sensitive queries unless you trust the public SearX instances involved. The maintainer should update the documentation and metadata to reflect the actual retry behavior and runtime dependencies.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Public SearX instances, and potentially their operators, may see or log the user's search terms.
The script sends the user's query to public SearX instances over the network. This is expected for a web-search skill, but it means query text leaves the user's environment.
SEARCH_URL="${URL%/}/search?q=${ENCODED_QUERY}&format=json" ... RESPONSE=$(curl -s -A "Mozilla/5.0 ..." "${SEARCH_URL}" 2>/dev/null)Use this skill for searches you are comfortable sending to public search services, or configure a trusted SearX instance if privacy is important.
A failed search may be sent to more third-party public instances than the written description suggests.
The implementation can consider up to 20 fetched URLs and try up to 10 instances, while the SKILL.md says it extracts up to three and retries with up to two alternatives.
console.log(urls.slice(0, 20).join('\n')); ... MAX_ATTEMPTS=10Align the documentation with the code or reduce the retry limit to the documented three attempts.
The skill may fail or behave differently depending on local tooling and the current remote SearX instance list.
The skill depends on runtime availability of curl and node and on a remote instance list, despite metadata declaring no required binaries.
INSTANCE_LIST=$(curl -s https://searx.space/data/instances.json 2>/dev/null) ... node -e "const data = JSON.parse(...)"
Declare curl and node as requirements, and consider documenting the dynamic instance-list dependency.