Trust Assessment
searxng-search received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 3 medium, and 0 low severity. Key findings include Suspicious import: urllib.request, Command Injection via unsanitized SEARXNG_URL in shell script, Potential Data Exfiltration via configurable SearXNG endpoint.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Command Injection via unsanitized SEARXNG_URL in shell script The `searxng_search.sh` script uses the `SEARXNG_URL` environment variable directly within a `curl` command without proper sanitization or escaping for shell execution. If an attacker can control the `SEARXNG_URL` environment variable (e.g., through a compromised environment or configuration), they can inject arbitrary shell commands. For example, setting `SEARXNG_URL='http://example.com"; evil_command; #'` would lead to `evil_command` being executed on the host system. Ensure that environment variables used in shell commands are properly sanitized or escaped. For URLs, it is best practice to validate the `SEARXNG_URL` as a legitimate URL before use. Alternatively, use `curl --url "$SEARXNG_URL/search?q=$ENCODED_QUERY&format=json"` which treats the argument as a URL, preventing shell injection. | LLM | searxng_search.sh:50 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/zfanmy/searxng-search-2/mcp-server.py:13 | |
| MEDIUM | Potential Data Exfiltration via configurable SearXNG endpoint The skill is designed to send all search queries (which are user-provided) to the `SEARXNG_URL` specified in the environment or `config.json`. If this URL is configured to point to an attacker-controlled server, any sensitive information contained within these search queries could be exfiltrated. While `SEARXNG_URL` is an administrator-set configuration, its misconfiguration or compromise could lead to data loss. Administrators should ensure `SEARXNG_URL` points only to trusted SearXNG instances. Consider implementing network egress filtering to restrict connections from the skill's execution environment to only approved external endpoints. | LLM | mcp-server.py:14 | |
| MEDIUM | Potential Server-Side Request Forgery (SSRF) via configurable SearXNG endpoint The skill makes network requests to the `SEARXNG_URL` specified in the environment or `config.json`. If this URL is configured to point to an internal network resource (e.g., `http://localhost:8080/admin`), the skill could be coerced into performing requests against internal services, potentially bypassing firewall rules or accessing sensitive internal APIs. This constitutes a Server-Side Request Forgery (SSRF) risk. While `SEARXNG_URL` is an administrator-set configuration, its misconfiguration or compromise could lead to internal network exposure. Administrators should ensure `SEARXNG_URL` points only to trusted, external SearXNG instances. Implement strict network egress filtering to prevent the skill from making requests to internal IP ranges or unapproved external hosts. Consider validating the `SEARXNG_URL` format to disallow internal IPs or non-HTTP/HTTPS schemes. | LLM | mcp-server.py:14 |
Scan History
Embed Code
[](https://skillshield.io/report/0fe2c4e7f5bf6dbf)
Powered by SkillShield