← Back to Skills Marketplace
SearXNG (XiaoDing)
by
asterisk622
· GitHub ↗
· v1.0.5
· MIT-0
227
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install xiaoding-searxng
Description
Privacy-respecting metasearch using your local SearXNG instance. Search the web, images, news, and more without external API dependencies.
Usage Guidance
This skill appears to implement exactly what it claims (a CLI that queries a SearXNG JSON API), but review these points before installing or running any helper scripts:
- SEARXNG_URL: You must set SEARXNG_URL to point to your SearXNG instance (SKILL.md requires it). The registry metadata omits this — don't assume the skill will work without that environment variable.
- Docker vs Python: The CLI requires python3 and Python deps (httpx, rich). The repository includes run-searxng.sh which launches a Docker container (searxng/searxng:latest). If you plan to use that script, ensure Docker is installed and you understand the implications; Docker is not declared as a required binary in the skill metadata (inconsistency).
- Review run-searxng.sh: The script writes config/settings.yml and runs the container with --network host and --restart always. Host networking grants the container broad network access on the host and --restart always makes it persist across reboots. Only run it if you trust the Docker image and you want an always-on local service.
- Image provenance: The script pulls searxng/searxng:latest from Docker Hub. Prefer pinned versions/tags for reproducibility and inspect the image provenance if you have stricter security needs.
- TLS risk: The Python client disables SSL verification (verify=False) to accept self-signed certs. If you are not using a local trusted instance or are on an untrusted network, this could expose queries to interception. Consider editing the script to enable verification (verify=True) and using a valid cert.
- Bing engine / external calls: config/settings.yml enables the Bing engine. Confirm whether your SearXNG setup will make outbound requests to third-party services and if any API keys are required; this can affect privacy goals.
- Simple mitigation steps: (1) Inspect scripts before running; (2) run the CLI pointing at an already-running trusted SearXNG instance rather than executing run-searxng.sh; (3) if you need to run the container, change the Docker command to a fixed image tag, review container capabilities, and avoid host network if possible.
Given the above mismatches (undeclared Docker dependency, a helper that creates a persistent host-network container, and disabled SSL verification), treat the package as suspicious until you confirm these behaviors are intentional and acceptable for your environment.
Capability Analysis
Type: OpenClaw Skill
Name: xiaoding-searxng
Version: 1.0.5
The skill provides a search interface for SearXNG but includes several security vulnerabilities and risky configurations. Most notably, `scripts/searxng.py` explicitly disables SSL certificate verification (`verify=False`) and suppresses related warnings, which introduces a Man-in-the-Middle (MITM) risk. Additionally, the `run-searxng.sh` setup script employs the `--network host` Docker flag and a hardcoded temporary secret key, which are insecure practices for production or shared environments. While these choices are documented as being for local development convenience, they constitute intentional security trade-offs that qualify as suspicious vulnerabilities under the review criteria.
Capability Assessment
Purpose & Capability
The skill's name/description (local SearXNG search) aligns with included Python CLI code that queries a SEARXNG_URL. However there are inconsistencies: the registry metadata lists no required env vars while SKILL.md and the code require SEARXNG_URL; the repo contains a run-searxng.sh that expects and runs Docker but the skill's declared required binaries only list python3 (Docker is not declared). These omissions are disproportionate to the stated lightweight CLI purpose and should be clarified.
Instruction Scope
SKILL.md instructs running the Python script against a local SearXNG API and to set SEARXNG_URL — that is in-scope. However included helper/run script (run-searxng.sh) writes a config file and launches a Docker container (searxng/searxng:latest) with host networking and restart enabled; README also suggests running Docker. Those actions are outside a minimal 'search' CLI's scope and affect the host (create config dir, run container). The runtime instructions do not attempt to read unrelated host files or export data to unexpected endpoints.
Install Mechanism
There is no formal install spec (instruction-only), which lowers risk, but the provided run-searxng.sh performs a docker pull/run of searxng/searxng:latest and writes config/settings.yml. Pulling an image from Docker Hub is common, but the script uses the image's latest tag (less reproducible) and runs the container with --network host and --restart always. The script assumes Docker is present (but Docker is not declared as a required binary). This install/run approach is higher-privilege than a pure CLI and should be reviewed before execution.
Credentials
The skill expects SEARXNG_URL (declared in SKILL.md metadata) which is appropriate for targeting a local instance. No API keys/credentials are requested, which matches the stated 'no external API deps' design. Caveats: the Python code disables SSL verification (verify=False) to accommodate self-signed certs — this weakens TLS protections and could expose queries to MitM on untrusted networks; config/settings.yml enables the Bing engine without declaring any Bing credentials (user should confirm whether Bing use requires credentials or causes outbound requests to third parties).
Persistence & Privilege
The run-searxng.sh launches a Docker container with --restart always and --network host, which gives the container persistent presence and network-level access equivalent to the host. The skill's registry flags do not mark it as always:true, but the provided script nonetheless configures a persistent service. This is a notable privilege increase compared to a simple CLI and should be explicitly acknowledged by users before running the script.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install xiaoding-searxng - After installation, invoke the skill by name or use
/xiaoding-searxng - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.5
No user-facing changes detected in this release.
- Version bump to 1.0.5, but no changes to code or documentation.
- Functionality and documentation remain unchanged from previous version.
v1.0.4
- Updated documentation in SKILL.md for clarity and detailed usage instructions.
- Added examples for web, category, and advanced search commands.
- Improved configuration section, including environment variable and config file setup.
- Highlighted key features such as privacy focus and category support.
- No core functionality changes announced for this version.
Metadata
Frequently Asked Questions
What is SearXNG (XiaoDing)?
Privacy-respecting metasearch using your local SearXNG instance. Search the web, images, news, and more without external API dependencies. It is an AI Agent Skill for Claude Code / OpenClaw, with 227 downloads so far.
How do I install SearXNG (XiaoDing)?
Run "/install xiaoding-searxng" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is SearXNG (XiaoDing) free?
Yes, SearXNG (XiaoDing) is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does SearXNG (XiaoDing) support?
SearXNG (XiaoDing) is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created SearXNG (XiaoDing)?
It is built and maintained by asterisk622 (@asterisk622); the current version is v1.0.5.
More Skills