searx-search 安全扫描报告 — 低风险 | ClawSafe

20 /100

searx-search

Web search using free SearX instances

Legitimate web search skill using public SearX instances with minor security considerations around User-Agent spoofing and dependency on Node.js.

技能名称searx-search

分析耗时35.8s

引擎pi

✓

可以安装

Consider documenting the Node.js dependency explicitly. The hardcoded IP in User-Agent is a false positive (it's a Chrome version number).

安全发现 3 项

严重性	安全发现	位置
低危	User-Agent string hardcoded The script hardcodes a Chrome User-Agent string (Chrome/120.0.0.0) to avoid bot detection when querying public SearX instances. While common practice, this obscures the actual client making requests. `curl -s -A "Mozilla/5.0...Chrome/120.0.0.0..."` → Document this as intentional anti-bot bypass for public API access	`scripts/search_searx.sh:43`
提示	Node.js runtime dependency not documented The script uses 'node -e' for JSON parsing and URL encoding, requiring Node.js to be installed. This dependency is not declared in SKILL.md. `node -e "const data = JSON.parse..."` → Add Node.js as a runtime requirement in SKILL.md	`scripts/search_searx.sh:24`
提示	Pre-scan false positive: IP address flagging The pre-scan flagged '120.0.0.0' as a hardcoded IP address, but this is actually part of the User-Agent version string (Chrome/120.0.0.0), not a network address. `Chrome/120.0.0.0` → No action needed - false positive	`scripts/search_searx.sh:43`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	SKILL.md:16 - Fetches instances.json and performs search queries
命令执行	`NONE`	`WRITE`	✓ 一致	scripts/search_searx.sh:2 - Uses curl, node -e for processing
文件系统	`NONE`	`NONE`	—	No file read/write operations; node reads from stdin only
环境变量	`NONE`	`NONE`	—	No access to environment variables
剪贴板	`NONE`	`NONE`	—	Not used
浏览器	`NONE`	`NONE`	—	Not used
数据库	`NONE`	`NONE`	—	Not used
技能调用	`NONE`	`NONE`	—	Not used

1 高危 6 项发现

📡

高危 IP 地址硬编码 IP 地址

120.0.0.0

scripts/search_searx.sh:43

🔗

中危外部 URL 外部 URL

https://searx.space/.

SKILL.md:3

🔗

中危外部 URL 外部 URL

https://searx.space/data/instances.json

SKILL.md:16

🔗

中危外部 URL 外部 URL

https://searx.be

scripts/search_searx.sh:16

🔗

中危外部 URL 外部 URL

https://searx.org

scripts/search_searx.sh:17

🔗

中危外部 URL 外部 URL

https://searx.xyz

scripts/search_searx.sh:18

目录结构

2 文件 · 3.8 KB · 113 行

Shell 1f · 76L Markdown 1f · 37L

├─ ▾ 📁 scripts

│ └─ 🔧 search_searx.sh Shell 76L · 2.4 KB

└─ 📝 SKILL.md Markdown 37L · 1.5 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`curl`	`system`	system utility	否	Standard POSIX tool for HTTP requests
`node`	`system`	system dependency	否	Used for JSON parsing and URL encoding; not declared in SKILL.md

安全亮点

✓ Skill behavior is fully documented in SKILL.md

✓ No credential harvesting or sensitive path access

✓ No base64 encoded payloads or obfuscated code

✓ No data exfiltration to external servers

✓ No reverse shells or C2 communication patterns

✓ Uses public, well-known SearX infrastructure

✓ Fallback mechanism for instance discovery is reasonable

✓ No suspicious dependencies or package installations