searxng
Audited by Gen Agent Trust Hub on Feb 12, 2026
================================================================================
🟡 VERDICT: MEDIUM
This skill is generally well-structured and aims for privacy by using a local SearXNG instance. However, the explicit disabling of SSL certificate verification (verify=False) in its network requests introduces a significant security vulnerability. While intended for local self-signed certificates, it creates a Man-in-the-Middle (MITM) risk if the SEARXNG_URL is configured to an external, untrusted endpoint, potentially leading to the leakage of search queries and other data.
Total Findings: 2
🟡 MEDIUM Findings: • Insecure Network Communication (SSL Verification Disabled)
- scripts/searxng.py:100
Evidence snippet:
verify=False # For local self-signed certsExplanation: The script explicitly disables SSL certificate verification for HTTPX requests. This makes the connection vulnerable to Man-in-the-Middle (MITM) attacks, where an attacker could intercept and read/modify data (including search queries) sent between the skill and the SearXNG instance, especially if theSEARXNG_URLis configured to an external server. Although documented as being for local self-signed certificates, this weakens a fundamental security control and poses a data leakage risk.
🔵 LOW Findings: • External Python Dependencies
- scripts/searxng.py:3
Evidence snippet:
dependencies = ["httpx", "rich"]Explanation: The skill declares external Python dependencies (httpx,rich) which will be downloaded from PyPI. While these are standard, widely-used libraries from a trusted source, they represent external code not directly audited within this skill's files. This is noted as a low risk for external downloads.
================================================================================