ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Searxng 1

v1.0.1

Privacy-respecting metasearch using your local SearXNG instance. Search the web, images, news, and more without external API dependencies.

0· 937·2 current·4 all-time
by@phucanh08
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, CLI examples, and the included Python script all implement searching a local SearXNG instance. Required runtime (python3) and an instance URL (SEARXNG_URL) are reasonable and expected for this purpose. Minor inconsistency: registry metadata shows 'Required env vars: none' while SKILL.md and the script document/require SEARXNG_URL (defaulting to http://localhost:8080).
Instruction Scope
SKILL.md instructs the agent to call the included script with query and category parameters and to set SEARXNG_URL; the script issues HTTP GET requests to the SearXNG JSON API and formats/display results. The instructions do not direct reading unrelated files, harvesting secrets, or sending data to unexpected endpoints. Note: the script disables SSL verification (verify=False) and suppresses related warnings to support self-signed certs — appropriate for local instances but risky if pointed at an untrusted remote endpoint.
Install Mechanism
There is no install spec (instruction-only skill), which minimizes risk because nothing arbitrary is downloaded at install time. However, the script lists Python dependencies (httpx, rich) in header comments; the skill does not provide a mechanism to install them automatically. Users/agents must ensure those packages are present from trusted sources.
Credentials
Only one environment variable (SEARXNG_URL) is used to point at the SearXNG instance; no tokens or unrelated credentials are requested. Again, registry metadata omitted this required env var which is a documentation mismatch to be aware of. Also verify=False in requests means SSL verification is disabled — not an environment/credential issue, but a security posture to review before pointing the skill at non-local instances.
Persistence & Privilege
The skill is not force-included (always:false), does not request system-level config paths or alter other skills, and uses normal agent invocation. No elevated persistence or cross-skill modifications are present.
Assessment
This skill appears to do what it says: query a SearXNG JSON API and present results. Before installing: (1) Confirm you run or trust the SearXNG instance you set in SEARXNG_URL (the script defaults to http://localhost:8080). (2) Install Python dependencies (httpx, rich) from trusted package sources. (3) If you point SEARXNG_URL to a remote/non-local endpoint, change verify=False to verify=True (and remove suppressed SSL warnings) to avoid MITM risk — the script currently disables SSL verification for convenience with self-signed certs. (4) Note the documentation mismatch: the registry metadata omits the required SEARXNG_URL env var; set it in your agent config or shell. (5) Run the script in an isolated environment if you want extra assurance and inspect the code yourself; there are no hidden network endpoints or credential exfiltration code in the included files.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c2rzr3tq8xecj4wwcrms89n80xyqf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binspython3

Comments