ClawHub
Back to skill

Security audit

local-search-pro

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent local SearXNG search helper, but users should understand its persistent Docker service and configurable search endpoint before installing.

Install only if you are comfortable running a persistent local Docker service. Leave SEARXNG_BASE_URL unset unless you trust the target service, avoid dev mode for normal use, and remove the service with docker rm -f searxng-local when you no longer need it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (10)

Tainted flow: 'BASE_URL' from os.environ.get (line 7, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
def main():
    try:
        r = requests.get(BASE_URL, timeout=5)
        if r.status_code == 200:
            print(f"OK: SearXNG reachable at {BASE_URL}")
            sys.exit(0)
Confidence
88% confidence
Finding
r = requests.get(BASE_URL, timeout=5)

Tainted flow: 'HEALTH_ENDPOINT' from os.environ.get (line 9, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
def health_check():
    try:
        r = requests.get(HEALTH_ENDPOINT, timeout=5)
        return r.status_code == 200
    except Exception:
        return False
Confidence
96% confidence
Finding
r = requests.get(HEALTH_ENDPOINT, timeout=5)

Tainted flow: 'SEARCH_ENDPOINT' from os.environ.get (line 8, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
"format": "json"
    }
    try:
        r = requests.get(SEARCH_ENDPOINT, params=params, timeout=10)
        r.raise_for_status()
        return r.json()
    except requests.exceptions.ConnectionError:
Confidence
98% confidence
Finding
r = requests.get(SEARCH_ENDPOINT, params=params, timeout=10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises a constrained localhost search helper, but the documented installation behavior requires shell execution, Docker management, Python package installation, networking, and persistent container deployment without declaring permissions. This creates a trust and review gap: users and calling platforms cannot accurately assess the skill's operational footprint, increasing the chance of unexpected code execution or system modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill claims 'localhost-only' and 'secure' behavior, but the described underlying behavior allows non-local backends via SEARXNG_BASE_URL and uses a broader bind address of 0.0.0.0. That mismatch is dangerous because users may rely on the stated isolation boundary while the actual implementation can expose the service beyond localhost or send queries to remote endpoints, undermining privacy and increasing attack surface.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill advertises a localhost-only deployment, but the generated SearXNG configuration binds the service to 0.0.0.0, exposing it on all interfaces inside the container. Even though Docker publishes only 127.0.0.1 on the host, this mismatch weakens the trust boundary, can become externally reachable if port publishing changes, and contradicts the claimed security model.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The script claims secure production defaults but hardcodes a predictable secret_key in the generated configuration. Predictable secrets undermine any feature relying on that key, such as session integrity or anti-abuse protections, and make compromise easier across all installations using the script.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The skill metadata claims a secure localhost-only deployment, but the implementation permits redirection to any URL via SEARXNG_BASE_URL. That mismatch is security-relevant because users may rely on the stated privacy boundary while their queries are actually sent off-host or to untrusted internal destinations.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The configuration binds the service to 0.0.0.0, which exposes it on all network interfaces, directly contradicting the skill's claim of a localhost-only deployment. This can make the search service reachable from other machines on the network or, depending on host/container/firewall settings, the internet, increasing the attack surface and enabling unauthorized use or probing.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The advertised security property of being localhost-only is false because the runtime configuration exposes the service externally via 0.0.0.0. This mismatch is dangerous because users may deploy the skill under the assumption it is only locally accessible, leaving an unexpectedly exposed service available to untrusted parties.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal