ClawHub

mdgs-tavily-search-skill

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Tavily web search and crawling helper with expected API-key and outbound web behavior, but users should avoid sending sensitive queries or private URLs.

Install only if you are comfortable using a Tavily API key and sending search terms, URLs, and crawl or research requests to Tavily and relevant websites. Set explicit depth, page, and source limits, and do not use it with secrets, internal URLs, personal data, or regulated content unless that third-party sharing is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description says the skill performs search, extraction, crawling, mapping, and research through Tavily, but it does not warn that user prompts, URLs, or extracted content may be transmitted to an external third-party API. That omission creates a privacy and compliance risk because users may unknowingly send sensitive or proprietary data off-platform.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The crawl, map, and research modes encourage broad collection across third-party websites but provide no safety limits, consent guidance, or warning about load, terms-of-service, and data-minimization concerns. In context, this makes the skill more dangerous because it is specifically designed for large-scale remote collection, which can unintentionally overreach or impact external systems.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "",
  "license": "ISC",
  "dependencies": {
    "@tavily/core": "^0.7.2"
  }
}
Confidence
85% confidence
Finding
"@tavily/core": "^0.7.2"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal