searxng-selfhost

Restrict network connections to standard ports (80, 443) and explicitly allowlisted service ports. Block connections to unusual ports that could indicate covert channels.

Likely FP if the non-standard port is localhost (127.0.0.1) used for local development servers (e.g., port 3000, 8080, 5432 for a local database).

Prevent URL redirection from bypassing SSRF protections. Validate the final destination URL after following redirects and block redirect chains that resolve to internal addresses.

Likely FP if the match is documentation about redirect handling behavior without an actual open redirect vulnerability.

Restrict network connections to standard ports (80, 443) and explicitly allowlisted service ports. Block connections to unusual ports that could indicate covert channels.

Likely FP if the non-standard port is localhost (127.0.0.1) used for local development servers (e.g., port 3000, 8080, 5432 for a local database).

Replace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.

Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.

Restrict network connections to standard ports (80, 443) and explicitly allowlisted service ports. Block connections to unusual ports that could indicate covert channels.

Likely FP if the non-standard port is localhost (127.0.0.1) used for local development servers (e.g., port 3000, 8080, 5432 for a local database).