ClawHub

free-local-web-search

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a local SearXNG search helper, but it needs review because its code can send searches to a non-local endpoint despite advertising localhost-only behavior.

Review before installing. Leave SEARXNG_BASE_URL unset or set only to a loopback SearXNG URL, avoid --dev unless you deliberately want safe_search and limiter disabled, and check that you do not already rely on a Docker container named searxng-local before running the installer.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Tainted flow: 'HEALTH_ENDPOINT' from os.environ.get (line 9, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
def health_check():
    try:
        r = requests.get(HEALTH_ENDPOINT, timeout=5)
        return r.status_code == 200
    except Exception:
        return False
Confidence
97% confidence
Finding
r = requests.get(HEALTH_ENDPOINT, timeout=5)

Tainted flow: 'SEARCH_ENDPOINT' from os.environ.get (line 8, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
"format": "json"
    }
    try:
        r = requests.get(SEARCH_ENDPOINT, params=params, timeout=10)
        r.raise_for_status()
        return r.json()
    except requests.exceptions.ConnectionError:
Confidence
98% confidence
Finding
r = requests.get(SEARCH_ENDPOINT, params=params, timeout=10)

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The skill claims a localhost-only deployment, but the generated SearXNG configuration sets bind_address to 0.0.0.0, causing the service inside the container to listen on all interfaces. Even though Docker publishes the port only on 127.0.0.1, this mismatch weakens the trust boundary, increases exposure if networking settings change, and contradicts the advertised security model.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code behavior contradicts the skill description by permitting SEARXNG_BASE_URL to point to any host, undermining the 'secure localhost-only' claim. This is security-relevant because users and downstream agents may rely on the manifest to make trust decisions, causing sensitive searches to be exposed to external services under false assumptions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal