SearXNG Local Search
PassAudited by ClawScan on May 1, 2026.
Overview
This is a straightforward SearXNG web-search wrapper, with minor setup and provenance notes but no artifact-backed malicious behavior.
This skill appears safe for its stated purpose if you trust the SearXNG instance you configure. Before using it, verify the package identity if that matters to you, avoid exposing SearXNG publicly without HTTPS/authentication, replace the example secret key, and consider pinning the Docker image instead of using `latest`.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search terms may be visible to the selected SearXNG instance and, depending on its configuration, upstream search engines.
The tool sends the user's search query to the configured SearXNG HTTP endpoint. This is expected for a search skill, but it is still a data flow to that service and its configured search engines.
url: ${SEARXNG_URL:-http://localhost:8080}/search ... q: ${query}Use only a trusted local or self-hosted SearXNG instance and review its logging, engine, and privacy settings.
If you run the setup, Docker will pull whatever image is current at that time, which can change across installs.
The optional Docker setup uses the mutable `latest` container tag. This is user-directed and aligned with setting up SearXNG, but it is less reproducible than pinning a version or digest.
image: searxng/searxng:latest
Pin the SearXNG image to a trusted version or digest if you need reproducible installs.
The publisher/package identity is less clear than ideal, which can make it harder to verify where the skill came from.
The package metadata does not match the provided registry listing, which shows a different owner ID and slug. This creates a provenance ambiguity, though the included artifacts are instruction-only and purpose-aligned.
"ownerId": "kn74vy5wbmaz7mg2c99ntc1dd9800kj9", "slug": "searxng-local"
Verify the publisher and source before installing, especially if future versions add code or broader permissions.