Back to skill
Skillv1.0.0
ClawScan security
Searxng Backup · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 13, 2026, 9:20 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill mostly does what it claims (talk to a local SearXNG instance) but there are metadata inconsistencies and a few security-relevant choices (disabled SSL verification, missing install instructions for dependencies) that warrant caution before installing.
- Guidance
- This skill appears to implement a local SearXNG search client and is generally coherent with that purpose, but there are several issues to consider before installing: (1) Metadata mismatches — the registry listing, SKILL.md, and _meta.json use different owner IDs and version numbers; verify the publisher/author before trusting the package. (2) The SKILL.md requires SEARXNG_URL but the registry metadata claims no env vars — make sure you set SEARXNG_URL to a SearXNG instance you control (preferably localhost). (3) The script disables SSL verification (verify=False) and suppresses warnings to support self-signed certificates; if you point SEARXNG_URL to anything other than a local/trusted instance this could expose your queries to interception. Consider editing the script to enable verify=True if you use a proper TLS cert. (4) There is no install spec for Python dependencies (httpx, rich). Install those in a virtualenv before running. (5) If you need higher assurance, ask the publisher to reconcile metadata (ownerId/version) and provide an install specification or signed release. If you proceed, run the skill in an isolated environment and ensure SEARXNG_URL points to a host you control.
Review Dimensions
- Purpose & Capability
- noteThe code and SKILL.md implement a CLI that queries a SearXNG JSON API on SEARXNG_URL using python3 — this matches the described purpose. However, registry metadata lists no required env vars while SKILL.md requires SEARXNG_URL; _meta.json ownerId/version differ from the top-level registry metadata. These metadata mismatches reduce trust and should be resolved.
- Instruction Scope
- okRuntime instructions and the script stay within the stated purpose: build and send HTTP requests to the configured SearXNG instance and render results. The SKILL.md does not instruct reading unrelated files or harvesting other credentials.
- Install Mechanism
- noteThis is an instruction-only skill (no install spec). The Python script declares dependencies (httpx, rich) and a Python version, but the package registry metadata does not provide an install step. That omission may cause runtime failure and means the skill expects the environment to already satisfy requirements — not dangerous, but inconvenient and less explicit.
- Credentials
- concernNo sensitive credentials are requested, which is appropriate. However, SKILL.md requires a SEARXNG_URL env var (defaulting to localhost) while the registry listing earlier claims 'Required env vars: none' — that's an inconsistency. Also the script disables SSL verification (verify=False) and suppresses SSL warnings to support self-signed certs; if the configured SEARXNG_URL points to an external/untrusted host this could enable man-in-the-middle attacks or accidental data leakage.
- Persistence & Privilege
- okThe skill does not request permanent presence (always:false) and does not modify other skills or global agent settings. It runs as an ordinary CLI tool when invoked.