Trust Assessment
searxng received a trust score of 75/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 2 medium, and 1 low severity. Key findings include Disabled SSL/TLS Certificate Verification, Potential Prompt Injection via Malicious API Response, Data Exfiltration via Configurable External Endpoint.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 69/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Disabled SSL/TLS Certificate Verification The script explicitly disables SSL/TLS certificate verification (`verify=False`) for HTTP requests made to the `SEARXNG_URL`. This makes the connection vulnerable to Man-in-the-Middle (MitM) attacks, allowing an attacker to intercept sensitive search queries, read data, and potentially inject malicious responses. While the code comment suggests this is for local self-signed certificates, the disablement is blanket and applies to any configured `SEARXNG_URL`, including potentially external or attacker-controlled endpoints. Remove `verify=False` from the `httpx.get` call and the `warnings.filterwarnings` line. If self-signed certificates are strictly necessary for a local instance, consider providing a mechanism to specify a trusted CA bundle or restrict `verify=False` only to `http://localhost` or `http://127.0.0.1` URLs. Ideally, use properly configured HTTPS certificates. | LLM | scripts/searxng.py:64 | |
| MEDIUM | Potential Prompt Injection via Malicious API Response The skill retrieves search results from a configurable SearXNG instance and displays them directly to the user or the host LLM, either as a formatted table or raw JSON. If the `SEARXNG_URL` is manipulated to point to a malicious server, that server could return crafted search results containing instructions designed to manipulate the host LLM. These instructions, if processed by the LLM, could lead to prompt injection, allowing the attacker to control the LLM's subsequent actions. The `display_results_json` function is particularly vulnerable as it outputs raw, unsanitized JSON. Implement robust sanitization or filtering of all user-controlled strings (e.g., `title`, `url`, `content`) from the SearXNG response before displaying them to the user or passing them back to the host LLM. This could involve stripping specific keywords, limiting length, or using an allow-list approach for content. For JSON output, consider adding a wrapper or a schema validation that explicitly marks fields as untrusted or sanitizes them. | LLM | scripts/searxng.py:140 | |
| MEDIUM | Data Exfiltration via Configurable External Endpoint The `SEARXNG_URL` is read from an environment variable and can be configured by the user via the skill's manifest. If an attacker can manipulate this environment variable (e.g., through a prompt injection into the LLM's configuration mechanism), they could redirect all search queries, which may contain sensitive user information, to an arbitrary external server under their control. The disabled SSL/TLS verification (SS-SEC-002) exacerbates this risk by making it easier to set up a malicious server without proper certificates. Restrict the `SEARXNG_URL` to only allow `localhost` or `127.0.0.1` addresses, or provide a clear warning to users about the risks of pointing it to untrusted external services. If external services are required, ensure strict validation of the URL and enforce SSL/TLS verification. | LLM | scripts/searxng.py:43 | |
| LOW | Unpinned Dependencies in Skill Package The skill's Python dependencies (`httpx`, `rich`) are specified without pinned versions. This means that during installation, the latest available versions will be downloaded. While this often includes security updates, it also introduces a supply chain risk where a malicious update to a dependency or a breaking change could be introduced without explicit review. This can lead to unexpected behavior or security vulnerabilities if a compromised version is published. Pin dependencies to specific versions (e.g., `httpx==0.25.0`, `rich==13.7.0`) to ensure deterministic builds and prevent unexpected behavior or supply chain attacks from new versions. Regularly audit and update these pinned versions. | LLM | scripts/searxng.py:4 |
Scan History
Embed Code
[](https://skillshield.io/report/6490c06b20cbe545)
Powered by SkillShield