searx-search Security Report — Low Risk | ClawSafe

20 /100

searx-search

Web search using free SearX instances

Legitimate web search skill using public SearX instances with minor security considerations around User-Agent spoofing and dependency on Node.js.

Skill Namesearx-search

Duration35.8s

Enginepi

✓

Safe to install

Consider documenting the Node.js dependency explicitly. The hardcoded IP in User-Agent is a false positive (it's a Chrome version number).

Findings 3 items

Severity	Finding	Location
Low	User-Agent string hardcoded The script hardcodes a Chrome User-Agent string (Chrome/120.0.0.0) to avoid bot detection when querying public SearX instances. While common practice, this obscures the actual client making requests. `curl -s -A "Mozilla/5.0...Chrome/120.0.0.0..."` → Document this as intentional anti-bot bypass for public API access	`scripts/search_searx.sh:43`
Info	Node.js runtime dependency not documented The script uses 'node -e' for JSON parsing and URL encoding, requiring Node.js to be installed. This dependency is not declared in SKILL.md. `node -e "const data = JSON.parse..."` → Add Node.js as a runtime requirement in SKILL.md	`scripts/search_searx.sh:24`
Info	Pre-scan false positive: IP address flagging The pre-scan flagged '120.0.0.0' as a hardcoded IP address, but this is actually part of the User-Agent version string (Chrome/120.0.0.0), not a network address. `Chrome/120.0.0.0` → No action needed - false positive	`scripts/search_searx.sh:43`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	SKILL.md:16 - Fetches instances.json and performs search queries
Shell	`NONE`	`WRITE`	✓ Aligned	scripts/search_searx.sh:2 - Uses curl, node -e for processing
Filesystem	`NONE`	`NONE`	—	No file read/write operations; node reads from stdin only
Environment	`NONE`	`NONE`	—	No access to environment variables
Clipboard	`NONE`	`NONE`	—	Not used
Browser	`NONE`	`NONE`	—	Not used
Database	`NONE`	`NONE`	—	Not used
Skill Invoke	`NONE`	`NONE`	—	Not used

1 High 6 findings

📡

High IP Address 硬编码 IP 地址

120.0.0.0

scripts/search_searx.sh:43

🔗

Medium External URL 外部 URL

https://searx.space/.

SKILL.md:3

🔗

Medium External URL 外部 URL

https://searx.space/data/instances.json

SKILL.md:16

🔗

Medium External URL 外部 URL

https://searx.be

scripts/search_searx.sh:16

🔗

Medium External URL 外部 URL

https://searx.org

scripts/search_searx.sh:17

🔗

Medium External URL 外部 URL

https://searx.xyz

scripts/search_searx.sh:18

File Tree

2 files · 3.8 KB · 113 lines

Shell 1f · 76L Markdown 1f · 37L

├─ ▾ 📁 scripts

│ └─ 🔧 search_searx.sh Shell 76L · 2.4 KB

└─ 📝 SKILL.md Markdown 37L · 1.5 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`curl`	`system`	system utility	No	Standard POSIX tool for HTTP requests
`node`	`system`	system dependency	No	Used for JSON parsing and URL encoding; not declared in SKILL.md

Security Positives

✓ Skill behavior is fully documented in SKILL.md

✓ No credential harvesting or sensitive path access

✓ No base64 encoded payloads or obfuscated code

✓ No data exfiltration to external servers

✓ No reverse shells or C2 communication patterns

✓ Uses public, well-known SearX infrastructure

✓ Fallback mechanism for instance discovery is reasonable

✓ No suspicious dependencies or package installations

Scan Report

Findings 3 items

File Tree

Dependencies 2 items

Security Positives