searxng-search
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests untrusted external data from the web which is then processed by the LLM.
- Ingestion points: In
scripts/search.js(search snippets/results) andscripts/content.js(full webpage extraction). - Capability inventory: The skill allows the agent to read arbitrary web content. When used by high-privilege agents (e.g., those with file-system or shell access like Cursor or Claude Code), this content can influence dangerous downstream actions.
- Boundary markers: Absent. The scripts use simple text headers like
--- Result ---or--- Content ---which are easily bypassed by adversarial content. - Sanitization: The skill performs HTML-to-Markdown conversion using
turndown, but this does not filter out natural language instructions intended to manipulate the agent. - Data Exposure & Exfiltration (LOW): The skill performs network requests to external domains and a local SearXNG instance.
- Network operations:
scripts/search.jsconnects to a SearXNG instance (defaulting to localhost) andscripts/content.jsfetches arbitrary URLs. - Mitigation: While it interacts with external sites, it does not access or transmit sensitive local files (e.g., SSH keys, credentials).
- Unverifiable Dependencies (LOW): Uses standard, well-known Node.js libraries for document parsing and markdown conversion.
- Packages:
@mozilla/readability,jsdom, andturndownare standard tools for this purpose. - Credentials (SAFE): No hardcoded API keys or sensitive credentials found. The
secret_keyinsearxng/settings.ymlis a placeholder for a local development instance.
Recommendations
- AI detected serious security threats
Audit Metadata