Skillv1.0.0

ClawScan security

searxng-web-search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 6, 2026, 5:31 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions match its stated purpose (querying a self‑hosted SearXNG instance), require only network access to the configured instance, and do not request unrelated credentials or privileged installs.
Guidance: This skill appears coherent and limited to querying a SearXNG instance. Before installing, confirm you (or your operator) control the SEARXNG_BASE_URL you configure — queries will be sent to that endpoint. Avoid pointing it at untrusted public instances if you care about query privacy. Ensure the instance's JSON API is enabled (search.formats must include json). If you plan to use a public SearXNG service, be aware queries and related metadata will be visible to that service; consider hosting your own SearXNG container instead. Finally, review the included script if you want to verify there are no additional network calls or logging behaviors beyond the SearXNG requests.

Review Dimensions

Purpose & Capability: okName and description state this is a SearXNG-backed web search tool and the included Python module implements only SearXNG API calls (GET /search and GET /config) against a configurable base URL. Required capabilities (Python requests, network access to the SearXNG endpoint) are proportional to the stated purpose.
Instruction Scope: okSKILL.md instructs the agent to call the local/remote SearXNG JSON API, enable JSON format in settings.yml, and run the provided script or import the module. The runtime instructions and code reference only the SearXNG endpoint and standard config paths; they do not attempt to read unrelated files, access other services, or transmit data to unexpected external endpoints.
Install Mechanism: okThere is no install spec in the registry (skill is effectively instruction+script). The code is a small Python script that depends only on the requests library; no downloads from arbitrary URLs or archive extraction occur in the package. Installation guidance references Docker for SearXNG and pip install requests, which are reasonable for this skill.
Credentials: noteThe skill uses environment variables to configure the SearXNG base URL, timeouts, categories, etc., which is expected. Registry metadata lists no required credentials (none are needed). Note: the skill will make network requests to whatever SEARXNG_BASE_URL is set to, so that endpoint will receive user queries; the env vars themselves are not secrets for external services.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, and does not attempt to store or escalate privileges. It runs as an importable / CLI tool and only needs transient network access to the configured SearXNG instance.