Back to skill
Skillv1.0.0
ClawScan security
SearXNG Docker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 26, 2026, 4:09 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it provides a local SearXNG Docker setup and a simple client script that queries the local instance; requested files, commands, and configuration match the described purpose.
- Guidance
- This skill appears to do what it says: run a local SearXNG container and query it with a simple Python client. Before installing, ensure you have Docker/Docker Compose and review the Docker image (searxng/searxng:latest) if you want to limit supply-chain risk—consider pinning to a specific release tag. Change the placeholder secret (SKILL.md shows an openssl-based sed command) and verify the settings.yml you bind into the container. The service is bound to localhost by default (127.0.0.1:8888) which limits remote exposure; if you change networking, be mindful of who can reach the port. Finally, the included Python script only issues local HTTP requests and prints results; no credentials are requested or exfiltrated.
Review Dimensions
- Purpose & Capability
- okName/description, docker compose, settings.yml, and the Python client all align: the skill is for running and querying a self-hosted SearXNG instance. Nothing in the repo asks for unrelated services or credentials.
- Instruction Scope
- okSKILL.md instructs only to run Docker Compose, edit the local settings, generate a local secret, and call the local HTTP JSON API. The runtime instructions do not read or transmit unrelated system files or environment variables.
- Install Mechanism
- noteThere is no installer; the skill is instruction-only but uses a Docker image: searxng/searxng:latest (pulled from Docker Hub). Pulling 'latest' is standard but has supply-chain implications—pinning to a release tag would be safer.
- Credentials
- okNo required environment variables, credentials, or external secrets are requested. The only environment shown is the container's SEARXNG_BASE_URL set to a localhost URL—appropriate for the stated purpose.
- Persistence & Privilege
- okalways is false and the skill does not request elevated agent privileges. Running docker compose will create a local container (expected for a self-hosted service); the compose file drops most capabilities and only adds minimal ones.