Back to skill
Skillv1.0.1
ClawScan security
SearXNG Self-Host · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 17, 2026, 5:12 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (install a local SearXNG instance and provide a small search client); nothing requests unrelated secrets or weird network endpoints, but the installer runs as root, creates a system user/service, and installs a pip package with a non-default flag — review before running on production hosts.
- Guidance
- This skill appears to do what it says: install a local SearXNG instance and provide a small search CLI. Before installing, consider: (1) only run the installer as root on a machine you control (it creates a system user, writes /etc, and installs a systemd service); (2) the script installs a PyPI package named 'uv' and uses pip with --break-system-packages — review that package and the pip command to ensure you accept potential system package changes; (3) the installer clones the official searxng GitHub repo, but you should inspect the cloned code if you care about supply-chain risk; (4) if you want isolation, run this in a VM or container rather than a shared/production host. If you want extra assurance, ask the author for provenance of the 'uv' tool or run the installer in a disposable environment first.
Review Dimensions
- Purpose & Capability
- okName/description (self-host SearXNG + local search client) align with included files: an installer that clones the SearXNG GitHub repo, writes /etc/searxng/settings.yml, installs Python deps, and a search.py client that queries localhost and falls back to Wikipedia/GitHub.
- Instruction Scope
- noteSKILL.md and scripts stay within installation and search behavior. They instruct running the installer as root on Ubuntu and using local HTTP traffic to 127.0.0.1:8888. Note: the instructions explicitly require elevated privileges (creating system user, writing /etc and systemd), so you should only run them where you trust the host and want a persistent service.
- Install Mechanism
- noteInstall script clones the official searxng GitHub repo (expected) and uses pip to install a CLI tool named 'uv' and then uses 'uv' to create a venv and install requirements. Download sources are GitHub/PyPI (traceable). The use of 'pip3 install --break-system-packages' is intrusive and worth reviewing before running because it allows pip to modify system-managed packages.
- Credentials
- okNo environment variables, credentials, or unrelated config paths are requested. The script writes its own /etc/searxng/settings.yml and binds to 127.0.0.1, which is proportionate to the stated goal.
- Persistence & Privilege
- noteThe installer creates a dedicated system user and a systemd service (persistent local daemon). That is expected for a long-running local service but requires root and will modify system-wide state; only run where that level of privilege/persistence is acceptable.