ClawHub

Searxng 1

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI02: Tool Misuse and Exploitation
What this means

If you use a public or untrusted SearXNG instance, your search terms could be visible to that service or exposed to network interception.

Why it was flagged

Search queries are sent to the configured SearXNG endpoint, and TLS certificate verification is disabled. This is disclosed for local self-signed instances, but it reduces protection if the URL is remote or untrusted.

Skill content
response = httpx.get(
            f"{SEARXNG_URL}/search",
            params=params,
            timeout=30,
            verify=False
Recommendation

Use a trusted local SearXNG instance when possible, and consider enabling certificate verification for remote HTTPS instances.

NoteHigh Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Running the skill may install or use current versions of its Python dependencies, which can affect reproducibility.

Why it was flagged

The script declares runtime Python package dependencies without version pins. These packages are expected for HTTP requests and rich CLI output, but users should be aware of runtime dependency resolution.

Skill content
# /// script
# requires-python = ">=3.11"
# dependencies = ["httpx", "rich"]
# ///
Recommendation

If reproducibility matters, pin or lock dependency versions in your local setup and install packages from trusted indexes.