ClawHub

SearXNG Search CLI (Free, Self-hosted, Auto-deploy, Multi-Channel)

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real SearXNG search helper, but it gives an agent broad install, shell, service, and persistence authority that users should review carefully.

Install only if you intentionally want an agent to deploy and manage a local SearXNG service. Review any sudo prompt, avoid untrusted SEARXNG_HOST, SEARXNG_PORT, or SEARXNG_SECRET values, do not route sensitive searches through an endpoint you do not control, and enable autostart only if you want the service to persist across sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run(cmd, check=True, cwd=None):
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True, cwd=cwd)
    if check and result.returncode != 0:
        log(f"Error: {result.stderr}")
        sys.exit(1)
Confidence
98% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, cwd=cwd)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f'{SEARXNG_DIR}/.venv/bin/python -m searx.webapp '
        f'--host {SEARXNG_HOST} --port {SEARXNG_PORT}'
    )
    subprocess.Popen(cmd, shell=True, env=env, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

    import time
    for _ in range(15):
Confidence
98% confidence
Finding
subprocess.Popen(cmd, shell=True, env=env, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

Tainted flow: 'cmd' from os.environ.get (line 148, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
def run(cmd, check=True, cwd=None):
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True, cwd=cwd)
    if check and result.returncode != 0:
        log(f"Error: {result.stderr}")
        sys.exit(1)
Confidence
97% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, cwd=cwd)

Tainted flow: 'cmd' from os.environ.get (line 148, credential/environment) → subprocess.Popen (code execution)

Medium
Category
Data Flow
Content
f'{SEARXNG_DIR}/.venv/bin/python -m searx.webapp '
        f'--host {SEARXNG_HOST} --port {SEARXNG_PORT}'
    )
    subprocess.Popen(cmd, shell=True, env=env, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

    import time
    for _ in range(15):
Confidence
99% confidence
Finding
subprocess.Popen(cmd, shell=True, env=env, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

Tainted flow: 'req' from os.environ.get (line 46, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
f"http://{SEARXNG_HOST}:{SEARXNG_PORT}",
                headers=FORWARDED_FOR
            )
            resp = urllib.request.urlopen(req, timeout=3)
            return resp.status == 200
        except:
            import time
Confidence
87% confidence
Finding
resp = urllib.request.urlopen(req, timeout=3)

Tainted flow: 'req' from os.environ.get (line 46, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
try:
        req = urllib.request.Request(url, headers=FORWARDED_FOR)
        with urllib.request.urlopen(req, timeout=10) as resp:
            data = json.load(resp)

        results = data.get("results", [])
Confidence
88% confidence
Finding
with urllib.request.urlopen(req, timeout=10) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises itself as a search tool, but the documented capability set implies shell execution, network access, environment use, and file writes without any declared permissions or explicit user-facing warning. In this context, those capabilities are significant because the skill also exposes install/start/enable operations, which can modify the host and create persistent services beyond a simple search action.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a true security concern because the skill's stated purpose is ordinary search, while the underlying behavior includes software installation, remote code/bootstrap execution, repository cloning, config modification under /etc, service management, persistence, and bot-detection bypass behavior. That mismatch increases the chance a user or orchestrator will invoke the skill with search-level trust while it performs privileged or persistent actions on the host.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as a search CLI but also performs installation, source checkout, configuration modification, service startup, and persistence setup. This mismatch increases risk because users or agent orchestrators may grant it broader trust than warranted for a simple search capability.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Writing systemd user service files and enabling/disabling them gives the skill host-level persistence and lifecycle control unrelated to ordinary search. In an agent ecosystem, persistence features substantially raise the blast radius of misuse or compromise.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The installer fetches and executes a remote shell script and clones code from the internet, which goes far beyond a search helper's stated purpose. This materially increases supply-chain and remote-code-execution risk, especially when triggered by an automated agent acting on a user's simple search request.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The explicit comment and header force 'X-Forwarded-For: 127.0.0.1' to exploit trusted proxy behavior and bypass bot detection or request limiting. That is not necessary for a benign local search client and indicates deliberate evasion of server-side protections.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The onboarding directs users/agents to execute a remote installer script via shell, create system-wide symlinks under /usr/local/bin with sudo, and copy files into /etc without any safety warning, provenance verification, or least-privilege guidance. In an agent-skill context, these steps materially increase supply-chain and privilege-escalation risk because they encourage blind execution of network-fetched code and privileged filesystem modification.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The README exposes use of an authentication secret through an environment variable but does not warn users that the value is sensitive or advise against logging, sharing, or committing it. In practice, secrets placed in shell history, screenshots, CI logs, or dotfiles can be recovered and used to access or control the SearXNG instance.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The install path performs package installation, repository cloning, virtualenv creation, and configuration edits without strong upfront disclosure. In an agent-mediated setting, hidden side effects are dangerous because users may believe they are authorizing only a search action.

Missing User Warnings

High
Confidence
93% confidence
Finding
The script attempts to write to /etc and instructs the user to use sudo if needed, while also writing service files under the user's config. Modifying privileged or persistent system locations without strong disclosure or boundaries is risky and exceeds expected behavior for a simple search utility.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal