Security Audit

searxng

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned about 1 month ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

searxng received a trust score of 84/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 0 medium, and 1 low severity. Key findings include Insecure HTTPS connection (SSL verification disabled), Unpinned dependencies.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

83%

Behavioral Risk Signals

Network Access

2 findings

Dynamic Code

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Insecure HTTPS connection (SSL verification disabled) The `scripts/searxng.py` script explicitly disables SSL certificate verification (`verify=False`) when making HTTPS requests to the `SEARXNG_URL`. Additionally, it suppresses related warnings. This makes the connection vulnerable to Man-in-the-Middle (MITM) attacks, allowing an attacker to intercept sensitive search queries and results, or inject malicious content. While the comment suggests it's for 'local self-signed certs', this blanket disablement applies to any configured `SEARXNG_URL`, including external ones, compromising data integrity and confidentiality. 1. Remove `warnings.filterwarnings('ignore', message='Unverified HTTPS request')` from line 34. 2. Remove `verify=False` from the `httpx.get` call on line 59. 3. If self-signed certificates are genuinely needed for local development, configure `httpx` to trust a specific CA certificate bundle rather than disabling verification entirely. For production, ensure `SEARXNG_URL` uses a properly signed certificate from a trusted Certificate Authority.	LLM	scripts/searxng.py:59
LOW	Unpinned dependencies The `httpx` and `rich` dependencies are specified without version pinning in the `/// script` block. This means that `uv` will always fetch the latest available versions. While convenient, this can lead to unexpected breaking changes or introduce new vulnerabilities if a future version of a dependency contains a flaw. Pinning dependencies ensures deterministic builds and prevents unexpected issues from upstream changes. Pin dependencies to specific versions (e.g., `httpx==0.27.0`, `rich==13.7.0`) to ensure deterministic builds and prevent unexpected issues from upstream changes. Regularly review and update pinned versions.	LLM	scripts/searxng.py:3

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/66ac0d3eecb092f2.svg)](https://skillshield.io/report/66ac0d3eecb092f2)