ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SearXNG (XiaoDing)

v1.0.5

Privacy-respecting metasearch using your local SearXNG instance. Search the web, images, news, and more without external API dependencies.

0· 196·0 current·0 all-time
by@asterisk622

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for asterisk622/xiaoding-searxng.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "SearXNG (XiaoDing)" (asterisk622/xiaoding-searxng) from ClawHub.
Skill page: https://clawhub.ai/asterisk622/xiaoding-searxng
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install xiaoding-searxng

ClawHub CLI

Package manager switcher

npx clawhub@latest install xiaoding-searxng
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (local SearXNG search) aligns with included Python CLI code that queries a SEARXNG_URL. However there are inconsistencies: the registry metadata lists no required env vars while SKILL.md and the code require SEARXNG_URL; the repo contains a run-searxng.sh that expects and runs Docker but the skill's declared required binaries only list python3 (Docker is not declared). These omissions are disproportionate to the stated lightweight CLI purpose and should be clarified.
Instruction Scope
SKILL.md instructs running the Python script against a local SearXNG API and to set SEARXNG_URL — that is in-scope. However included helper/run script (run-searxng.sh) writes a config file and launches a Docker container (searxng/searxng:latest) with host networking and restart enabled; README also suggests running Docker. Those actions are outside a minimal 'search' CLI's scope and affect the host (create config dir, run container). The runtime instructions do not attempt to read unrelated host files or export data to unexpected endpoints.
!
Install Mechanism
There is no formal install spec (instruction-only), which lowers risk, but the provided run-searxng.sh performs a docker pull/run of searxng/searxng:latest and writes config/settings.yml. Pulling an image from Docker Hub is common, but the script uses the image's latest tag (less reproducible) and runs the container with --network host and --restart always. The script assumes Docker is present (but Docker is not declared as a required binary). This install/run approach is higher-privilege than a pure CLI and should be reviewed before execution.
Credentials
The skill expects SEARXNG_URL (declared in SKILL.md metadata) which is appropriate for targeting a local instance. No API keys/credentials are requested, which matches the stated 'no external API deps' design. Caveats: the Python code disables SSL verification (verify=False) to accommodate self-signed certs — this weakens TLS protections and could expose queries to MitM on untrusted networks; config/settings.yml enables the Bing engine without declaring any Bing credentials (user should confirm whether Bing use requires credentials or causes outbound requests to third parties).
!
Persistence & Privilege
The run-searxng.sh launches a Docker container with --restart always and --network host, which gives the container persistent presence and network-level access equivalent to the host. The skill's registry flags do not mark it as always:true, but the provided script nonetheless configures a persistent service. This is a notable privilege increase compared to a simple CLI and should be explicitly acknowledged by users before running the script.
What to consider before installing
This skill appears to implement exactly what it claims (a CLI that queries a SearXNG JSON API), but review these points before installing or running any helper scripts: - SEARXNG_URL: You must set SEARXNG_URL to point to your SearXNG instance (SKILL.md requires it). The registry metadata omits this — don't assume the skill will work without that environment variable. - Docker vs Python: The CLI requires python3 and Python deps (httpx, rich). The repository includes run-searxng.sh which launches a Docker container (searxng/searxng:latest). If you plan to use that script, ensure Docker is installed and you understand the implications; Docker is not declared as a required binary in the skill metadata (inconsistency). - Review run-searxng.sh: The script writes config/settings.yml and runs the container with --network host and --restart always. Host networking grants the container broad network access on the host and --restart always makes it persist across reboots. Only run it if you trust the Docker image and you want an always-on local service. - Image provenance: The script pulls searxng/searxng:latest from Docker Hub. Prefer pinned versions/tags for reproducibility and inspect the image provenance if you have stricter security needs. - TLS risk: The Python client disables SSL verification (verify=False) to accept self-signed certs. If you are not using a local trusted instance or are on an untrusted network, this could expose queries to interception. Consider editing the script to enable verification (verify=True) and using a valid cert. - Bing engine / external calls: config/settings.yml enables the Bing engine. Confirm whether your SearXNG setup will make outbound requests to third-party services and if any API keys are required; this can affect privacy goals. - Simple mitigation steps: (1) Inspect scripts before running; (2) run the CLI pointing at an already-running trusted SearXNG instance rather than executing run-searxng.sh; (3) if you need to run the container, change the Docker command to a fixed image tag, review container capabilities, and avoid host network if possible. Given the above mismatches (undeclared Docker dependency, a helper that creates a persistent host-network container, and disabled SSL verification), treat the package as suspicious until you confirm these behaviors are intentional and acceptable for your environment.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔍 Clawdis
Binspython3
latestvk97d4pfxpkhe7tabntewk084y983fkrw
196downloads
0stars
2versions
Updated 21h ago
v1.0.5
MIT-0
@asterisk622
latest
Download

SearXNG Search

Search the web using your local SearXNG instance - a privacy-respecting metasearch engine.

Commands

Web Search

uv run {baseDir}/scripts/searxng.py search "query"              # Top 10 results
uv run {baseDir}/scripts/searxng.py search "query" -n 20        # Top 20 results
uv run {baseDir}/scripts/searxng.py search "query" --format json # JSON output

Category Search

uv run {baseDir}/scripts/searxng.py search "query" --category images
uv run {baseDir}/scripts/searxng.py search "query" --category videos

Advanced Options

uv run {baseDir}/scripts/searxng.py search "query" --language en
uv run {baseDir}/scripts/searxng.py search "query" --time-range day

Configuration

Required: Set the SEARXNG_URL environment variable to your SearXNG instance:

export SEARXNG_URL=https://your-searxng-instance.com

Or configure in your Clawdbot config:

{
  "env": {
    "SEARXNG_URL": "https://your-searxng-instance.com"
  }
}

Default (if not set): http://localhost:8080

Features

  • 🔒 Privacy-focused (uses your local instance)
  • 🌐 Multi-engine aggregation
  • 📰 Multiple search categories
  • 🎨 Rich formatted output
  • 🚀 Fast JSON mode for programmatic use

API

Uses your local SearXNG JSON API endpoint (no authentication required by default).

Comments

Loading comments...