Is searxng-bangs safe?

https://clawhub.ai/rpeters511/searxng-bangs

72
CAUTION

This skill is a straightforward SearXNG search wrapper using only Python stdlib with no malicious code, no install hooks, and clean clone behavior. However, it creates a persistent outbound data channel by design — every search query is sent to a configurable external HTTP endpoint. While the default points to localhost, the documentation actively encourages pointing to third-party public instances, creating a query exfiltration risk. The skill is functionally benign but architecturally risky for privacy-sensitive environments.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (9)

MEDIUM User queries sent to configurable external endpoint -30

Every search query is sent via HTTP to whatever URL is configured in SEARXNG_URL. The default is localhost:8080, but the skill actively encourages overriding this to public instances (searx.be) or custom URLs. An attacker who controls the SearXNG instance receives all search queries in plaintext, which may contain sensitive information the user asks the agent to look up.

MEDIUM Executable Python script with outbound HTTP -25

The skill contains a Python script that the agent is instructed to execute. While the script uses only stdlib and appears benign, it establishes a pattern of running code that makes outbound network requests. The script could be updated in future versions to include additional functionality.

LOW Persuasive description nudges agent toward skill usage -8

The SKILL.md description includes 'Prefer this over external search APIs for privacy-sensitive queries or high-volume searches', which attempts to influence the agent's tool selection behavior. While not a direct prompt injection, it biases the agent toward routing searches through this skill's infrastructure.

LOW Skill recommends subprocess pattern in documentation -10

The SKILL.md includes a Python code example showing how to call the script via subprocess.run(), which normalizes arbitrary command execution patterns for the agent.

LOW User-Agent string leaks platform identity -5

The script sets User-Agent to 'Mozilla/5.0 (OpenClaw Agent)', which reveals to the SearXNG instance (and any intermediary) that the requests come from an AI agent platform, potentially enabling targeted attacks.

INFO Public instance recommendations route through third parties -10

The documentation recommends public SearXNG instances (searx.be, searx.space) as alternatives to self-hosting. Users who follow this advice route all their search queries through third-party servers they have no control over.

MEDIUM Persistent query exfiltration channel via normal usage -50

Unlike a one-time exfiltration attempt, this skill creates an ongoing channel where every future search query flows through the configured endpoint. If the endpoint is compromised or malicious, the attacker gains a continuous stream of all information the user asks the agent to search for — potentially including proprietary code details, business information, or personal queries.

INFO Clean installation with no suspicious behavior -5

Installation monitoring shows no network activity, no process spawning, and no filesystem modifications outside the skill directory. The .env and .aws/credentials reads observed in filesystem monitoring are attributable to the OpenClaw platform initialization, not the skill itself.

LOW No input sanitization on query parameters -15

User-provided search queries and bang parameters are passed directly into URL parameters without validation. While urllib.parse.urlencode handles URL encoding, there is no length limit or content validation, which could allow crafted queries to exploit vulnerabilities in the SearXNG instance.