ClawHub

brave-api-free-search

Security checks across malware telemetry and agentic risk

Overview

This skill coherently installs and queries a local SearXNG search service, with some operational risks users should understand.

Install only if you are comfortable running Docker and a persistent local SearXNG container. Leave SEARXNG_BASE_URL unset unless you intentionally want to send searches to a trusted remote endpoint, avoid --dev unless reduced filtering and rate limiting are acceptable, and note that installation replaces any existing container named searxng-local.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Tainted flow: 'HEALTH_ENDPOINT' from os.environ.get (line 9, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
def health_check():
    try:
        r = requests.get(HEALTH_ENDPOINT, timeout=5)
        return r.status_code == 200
    except Exception:
        return False
Confidence
95% confidence
Finding
r = requests.get(HEALTH_ENDPOINT, timeout=5)

Tainted flow: 'SEARCH_ENDPOINT' from os.environ.get (line 8, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
"format": "json"
    }
    try:
        r = requests.get(SEARCH_ENDPOINT, params=params, timeout=10)
        r.raise_for_status()
        return r.json()
    except requests.exceptions.ConnectionError:
Confidence
97% confidence
Finding
r = requests.get(SEARCH_ENDPOINT, params=params, timeout=10)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script description claims a secure localhost-only deployment, but SEARXNG_BASE_URL can override the default and make the healthcheck contact any URL. That mismatch can enable unintended outbound requests in environments that rely on the skill metadata for trust assumptions, potentially aiding SSRF-style probing of internal or external services.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The installer writes server.bind_address: 0.0.0.0 while the skill advertises a localhost-only deployment. Even though Docker publishes 127.0.0.1:8080 externally, binding the service to all interfaces inside the container undermines the stated security posture and increases exposure if the port mapping changes, host networking is used, or the container is later reused in another context.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The hidden --dev mode disables safety controls by setting safe_search to 0 and limiter.enabled to false. A concealed switch that weakens protections is dangerous because users may deploy it without understanding that abuse prevention and content filtering are being intentionally removed.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The skill metadata claims a secure localhost-only deployment, but the code permits overriding the base URL via SEARXNG_BASE_URL to any destination. This mismatch is security-relevant because users and higher-level systems may rely on the localhost-only claim when deciding whether sensitive queries are safe to send through the skill.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal