Your AI gets tools.
The network gets nothing.
Searxly Agentic Tools is a small server that runs inside the app, on your machine, and lets your own local AI call Searxly's private-web tools. It listens only on loopback, demands a token on every request, and is off until you turn it on. No other machine, and no AI company, can reach it. And every call it does accept is screened by Bulwark — the same open-source shield that guards summaries, extended to guard the whole tool loop.
Searxly exposes the tools. You bring the model.
Searxly no longer ships an AI of its own. Instead it exposes its private browsing as tools that the local model you already run can call over the Model Context Protocol. This page is about how that tool server is secured — every barrier between your model's requests and the rest of your machine, and why nothing here ever reaches a cloud.
Local by construction, off by default.
Loopback only
The server binds 127.0.0.1 and never 0.0.0.0. As defense in depth, even a connection that somehow arrives from off the machine is refused outright.
Token on every request
A random token is minted into your Keychain and required as a bearer credential on every call, compared in constant time. No token, no tools.
Anti DNS-rebinding
Any request carrying an Origin header is rejected, and the Host must be loopback — so a malicious web page can't trick your browser into driving the server behind your back.
Off by default
It ships disabled. Turning it on is an explicit choice, and its status is shown plainly while it runs.
Per-tool switches
Turn individual tools on or off. A disabled tool disappears from discovery and is refused if a model tries to call it anyway.
Browser control is a second opt-in
The tools that can act on your tab — click, type, navigate — are hidden and refused until you separately enable browser control.
Nothing to any AI provider
Tools ride your own SearXNG and your own machine. Searxly sends nothing to any model host; the AI is the one you chose to run.
Runs sandboxed
The server lives inside the App Sandbox with only the loopback-server entitlement it needs — nothing more.
Every call logged
A live activity log records each tool call, so you can see exactly what your model did and when.
Bulwark on every call
Every call is screened by Bulwark before it runs, and every web result is scanned and wrapped as data before your model reads it. Details below.
Attacks pause actions
If a page tries to instruct your model, the tools that act are paused on the spot. Searching and reading keep working; only you can press resume.
Runaway loops stopped
A sliding rate limit and repeated-call detection stop a stuck — or hijacked — model from hammering the tools faster than any real work looks like, and it tells the model exactly how long to wait before trying again.
Ask before it acts
Filling a form is free, but submitting one — posting data, creating an account, sending a message — pauses for your one-tap approval. Only the irreversible step waits for you.
A logged-out agent
Optionally wall the agent off in a private, logged-out tab, so it can't act as the signed-in you or touch your sessions and cookies.
Your instant kill switch
One tap pauses every acting tool while searching and reading keep working — the moment anything looks off, you stop it cold.
Personal details, redacted
Emails, phone numbers, card numbers, names and addresses in tool results are swapped for placeholders by Rampart before your model ever sees them — so a cloud model never receives your private data.
Reading is easy. Acting is the risk.
A summarizer that gets fooled writes a bad summary. An agent that gets fooled does things. When a model can call tools, a hostile page doesn't just skew the answer — it tries to steer the next tool call. That's why every Agentic Tools call passes through Bulwark, our open-source safeguard, upgraded from guarding summaries to guarding the whole agent loop. It also runs the other way: Rampart strips personal information out of every result before your AI sees it, so nothing private leaks to a cloud model.
One hostile page tries to become your hands.
The canonical agent attack is an escalation chain: the model reads a page that hides an instruction, the instruction tells it to call a different tool, and that call carries your data to someone else's server. Bulwark breaks the chain at more than one link — so even a model that was fooled can't complete the theft.
- ✓The page's text reaches the model wrapped as data, not instructions
- ✓The attack is detected — tools that act are paused
- ✓The exfiltration link itself is refused on shape alone
Three choke points.
Arguments before a tool runs
Every argument is screened. Links that exist only to carry data out are refused on shape alone — thousands of characters long, a giant encoded blob in the query, credentials baked into the host, or a non-web scheme like javascript:. Arguments carrying invisible Unicode (the hidden-characters trick) are refused outright. The model gets a plain-language reason, not a silent failure.
Outputs after a web tool returns
Search results, pages, and snapshots are sanitized, scored against Bulwark's multilingual injection signatures, and wrapped in a random-nonce boundary before your model reads them — the same spotlighting that protects summaries. The content arrives as unmistakably data; a fake closing tag inside the page can't escape the wrapper.
The loop across calls
A sliding rate limit stops runaway loops. And the taint rule: the moment injected content is seen in any result, every tool that acts — click, type, navigate, open tabs, save bookmarks — is refused, while read-only search and reading keep working. The pause holds until a human ends it.
Paused means paused — until you say otherwise.
When protection triggers, Settings → Agentic Tools shows what happened in plain words — which tool brought the hostile content in, and what's paused — next to a single Resume actions button. The refusal your model receives tells it to ask you, not to retry. No timeout quietly re-arms it; no model can talk its way past it.
The honest caveat applies here as everywhere: prompt injection is not a solved problem, and nobody should tell you their agent is unhackable. Bulwark's job is layered containment — the easy attacks fail outright, the hard ones trip a wire on their way through, and the moment one does, your browser stops acting and starts asking.
Every request runs a gauntlet.
A tool call from your model arrives on the loopback interface, carries its bearer token, and is checked for a hostile Origin before anything runs. Then Bulwark screens the call itself — arguments, rate, and whether actions are paused. Only then does the tool execute — against your own SearXNG or your own active tab — and the result comes back scanned, wrapped, and logged. At no point does a request, a prompt, or a result cross to a Searxly server or any AI provider.
- ✓Loopback bind — unreachable from the network
- ✓Token, Origin and Host checked on every call
- ✓Bulwark screens the call and wraps the result
- ✓Runs against your SearXNG, on your Mac
A typical browser AI backend
- ✕Your prompt and page context leave for a vendor's servers
- ✕The model is theirs — you can't see or swap it
- ✕Always on, tied to an account and an ad identity
- ✕Tool calls run unguarded — one hostile page can steer them
- ✕You trust a pipeline you can't inspect
Searxly Agentic Tools
- ✓Tools run on your Mac — nothing sent to any AI company
- ✓The model is yours, whichever one you run
- ✓Off by default · loopback-only · token-gated
- ✓Every call screened by Bulwark — open source, auditable
- ✓Open standard, every call logged
The server is local. Your choice of model is yours.
Searxly's tools never leave your Mac — but the AI that calls them is one you choose. Point Agentic Tools at a local model such as Ollama or LM Studio and the entire loop is on-device, verifiable with a network monitor. Point it at a cloud model and, while Searxly still runs the tools locally, whatever your client sends to that provider is between you and them. If you want nothing at all to leave, run a local model. Agentic Tools was built for exactly that.
“Capability without surveillance.”
The most private assistant is the one you already run — given honest tools and nothing to phone home about.