Is adelpro/private-web-search-searchxng safe?

https://github.com/openclaw/skills/tree/main/skills/adelpro/private-web-search-searchxng

84
SAFE

The private-web-search-searchxng skill is a straightforward wrapper for a self-hosted SearXNG metasearch engine with no evidence of prompt injection, hidden instructions, or malicious exfiltration logic. The primary risks are environmental: the skill requires Docker and instructs the agent to pull and manage containers, and the helper script (search.sh) contains an unsafe jq interpolation of the LIMIT argument. Canary credential files were accessed in read-only mode at timestamps consistent with the oathe monitoring system's own baseline and post-check operations, not with skill code execution; no correlated outbound transmission was observed.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 84/100 · 25%
Code Execution 76/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (6)

MEDIUM LIMIT parameter interpolated unsafely into jq expression -12

In scripts/search.sh, the second positional argument ($2) is assigned to LIMIT without validation and interpolated directly into the jq filter string. A caller passing a crafted LIMIT value (e.g., '0] | env | {a:.}') could alter the jq program and potentially leak environment variables or cause unexpected output.

MEDIUM Skill instructs agent to execute Docker commands with container exec privileges -12

SKILL.md Quick Setup instructs the agent to run docker run (pulling a remote image), docker exec (running sed inside the container), and docker restart. If the agent has Docker socket access, this represents a meaningful privilege surface. A modified searxng/searxng image on Docker Hub would execute arbitrary code in the agent's environment.

LOW QUERY variable not URL-encoded in curl invocation -8

The search query is interpolated directly into the curl URL string without percent-encoding. Characters such as &, #, or space could break URL structure or inject additional query parameters into the SearXNG request. This does not directly exfiltrate data to an attacker but could cause query manipulation.

LOW Search queries forwarded to external engines (Google, Bing, etc.) via SearXNG -8

SearXNG is a metasearch engine that proxies queries to multiple external search providers (Google, Bing, DuckDuckGo, Brave, Startpage). Sensitive queries passed through the skill will reach these external services via the SearXNG container. This is the documented design of the service but represents an inherent privacy surface.

LOW Canary credential files read-accessed during monitoring window -15

Inotify and auditd records show read-only access (CLOSE_NOWRITE) to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials at two points: pre-install (1771905500.829) and post-install (1771905518.179). Timing and process context strongly suggest these are oathe monitoring baseline/integrity checks rather than skill-initiated reads. No correlated outbound network traffic was observed.

INFO Skill could act as covert instruction channel when combined with adversarial search results -20

If a threat actor could influence SearXNG search results (e.g., via SEO poisoning or a compromised engine), returned URLs and titles could contain crafted instructions that the agent might execute. This is a combinatorial risk requiring both this skill and an agent with insufficient output sandboxing.