Searxng Web
PassAudited by VirusTotal on May 12, 2026.
Overview
Package: searxng-web (mcp) Version: Description: web search via local searxng (no brave api key). provides searxng_search(query, count). The `searxng-web` package provides a Node.js tool (`searxng_search`) designed to proxy web search queries to a locally hosted SearXNG instance. The tool constructs a URL targeting `http://host.docker.internal:8081/search` with the user-provided query and a `format=json` parameter. It fetches the JSON response, normalizes the results (title, URL, snippet, source), and outputs them to stdout. Input parameters (`query`, `count`) are validated, with `count` capped between 1 and 10. The hardcoded internal Docker host address (`host.docker.internal`) is a key security control, preventing arbitrary external network requests and significantly mitigating Server-Side Request Forgery (SSRF) risks. The code logic is straightforward, performs standard HTTP requests, and does not exhibit any apparent vulnerabilities for arbitrary code execution, command injection, or data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search terms, including any sensitive text placed in a query, will be sent to the configured local SearxNG instance.
The tool transmits the user's search query to a local SearxNG HTTP endpoint. This is disclosed and purpose-aligned, but users should understand that queries leave the agent process and go to that local service.
const u=new URL("http://host.docker.internal:8081/search");u.searchParams.set("q",query);u.searchParams.set("format","json");Use this only with a trusted local SearxNG instance and avoid putting secrets or private data into search queries.