SearXNG (XiaoDing)

Privacy-respecting metasearch using your local SearXNG instance. Search the web, images, news, and more without external API dependencies.

This skill appears to implement exactly what it claims (a CLI that queries a SearXNG JSON API), but review these points before installing or running any helper scripts: - SEARXNG_URL: You must set SEARXNG_URL to point to your SearXNG instance (SKILL.md requires it). The registry metadata omits this — don't assume the skill will work without that environment variable. - Docker vs Python: The CLI requires python3 and Python deps (httpx, rich). The repository includes run-searxng.sh which launches a Docker container (searxng/searxng:latest). If you plan to use that script, ensure Docker is installed and you understand the implications; Docker is not declared as a required binary in the skill metadata (inconsistency). - Review run-searxng.sh: The script writes config/settings.yml and runs the container with --network host and --restart always. Host networking grants the container broad network access on the host and --restart always makes it persist across reboots. Only run it if you trust the Docker image and you want an always-on local service. - Image provenance: The script pulls searxng/searxng:latest from Docker Hub. Prefer pinned versions/tags for reproducibility and inspect the image provenance if you have stricter security needs. - TLS risk: The Python client disables SSL verification (verify=False) to accept self-signed certs. If you are not using a local trusted instance or are on an untrusted network, this could expose queries to interception. Consider editing the script to enable verification (verify=True) and using a valid cert. - Bing engine / external calls: config/settings.yml enables the Bing engine. Confirm whether your SearXNG setup will make outbound requests to third-party services and if any API keys are required; this can affect privacy goals. - Simple mitigation steps: (1) Inspect scripts before running; (2) run the CLI pointing at an already-running trusted SearXNG instance rather than executing run-searxng.sh; (3) if you need to run the container, change the Docker command to a fixed image tag, review container capabilities, and avoid host network if possible. Given the above mismatches (undeclared Docker dependency, a helper that creates a persistent host-network container, and disabled SSL verification), treat the package as suspicious until you confirm these behaviors are intentional and acceptable for your environment.

Type: OpenClaw Skill Name: xiaoding-searxng Version: 1.0.5 The skill provides a search interface for SearXNG but includes several security vulnerabilities and risky configurations. Most notably, `scripts/searxng.py` explicitly disables SSL certificate verification (`verify=False`) and suppresses related warnings, which introduces a Man-in-the-Middle (MITM) risk. Additionally, the `run-searxng.sh` setup script employs the `--network host` Docker flag and a hardcoded temporary secret key, which are insecure practices for production or shared environments. While these choices are documented as being for local development convenience, they constitute intentional security trade-offs that qualify as suspicious vulnerabilities under the review criteria.