ClawHub

Tavily Search Skill

v1.0.7

Web search via Tavily API (alternative to Brave). Use when the user asks to search the web / look up sources / find links and Brave web_search is unavailable...

1· 4.3k·42 current·44 all-time
by黑川眠也@jayegt002

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jayegt002/tavily-search-skill.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Tavily Search Skill" (jayegt002/tavily-search-skill) from ClawHub.
Skill page: https://clawhub.ai/jayegt002/tavily-search-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install jayegt002/tavily-search-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install tavily-search-skill
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's name/description (Tavily web search) matches what the scripts do: calling https://api.tavily.com/search and https://api.tavily.com/usage. It legitimately requires a Tavily API key. However, the registry metadata does not declare the API key or any required env var even though SKILL.md and search.sh require TAVILY_API_KEY or an apikey file — this mismatch is a packaging/metadata oversight.
Instruction Scope
SKILL.md instructs the agent/user to git clone the repo, request the user's Tavily API key, store it in a local 'apikey' file (or set TAVILY_API_KEY), and run ./search.sh. Runtime steps and files referenced are limited to the skill directory (apikey, blocklist files, search.sh). The instructions do not request unrelated system files, other credentials, or exfiltration to unexpected endpoints.
Install Mechanism
There is no formal install spec (instruction-only), and SKILL.md tells the user to git clone the GitHub repo. The code bundle also includes the same scripts, which makes the clone instruction redundant/odd but not dangerous. The GitHub URL is a normal source; no downloads from untrusted IPs or extract steps are used.
Credentials
The only credential used is the Tavily API key (TAVILY_API_KEY or apikey file). That is proportional to a web-search integration. The concern is that the registry metadata did not declare the need for this credential; the script also supports reading the same key from an env var or a file, and it sends the key as a Bearer token to api.tavily.com as expected.
Persistence & Privilege
The skill does not request persistent elevated privileges, does not set always:true, and only writes a local 'apikey' file (SKILL.md tells user to create it). It does not modify other skills or global agent configuration.
Assessment
This skill appears to do what it claims: call the Tavily search API and optionally filter results with a local blocklist. Before installing, verify the GitHub repo URL is the intended source and review the repo contents. Be aware the skill asks you to provide your Tavily API key and suggests storing it in a local file named 'apikey' (it sets chmod 600 in instructions). If you prefer, set TAVILY_API_KEY in your environment instead of writing a file. The main oddities are: the registry metadata doesn't list the required API key and SKILL.md asks you to git clone even though the package contains the scripts — these are packaging issues rather than security red flags. Run the script in an isolated environment if you are unsure, and verify it only contacts api.tavily.com (no other remote endpoints are present in the files).

Like a lobster shell, security has layers — review code before you run it.

latestvk974tq4642yw4a82ppn86dzmq1842dtmsecurityvk977cngyhvw7txn6awcrmj3ft584216j
4.3kdownloads
1stars
8versions
Updated 3w ago
v1.0.7
MIT-0
黑川眠也@jayegt002
latestsecurity
Download

Tavily Search Skill

OpenClaw Skill for performing high quality web searches using the Tavily API.

Directory Structure

tavily-search-skill/
├── SKILL.md                    ← must stay at root
├── search.sh                   ← must stay at root (entry script)
├── apikey                      ← API Key file (user creates this)
├── _meta.json
└── blocklist/
    ├── blocklist.json         ← blacklist config
    └── filter_blocklist.py     ← filter script

Agent Workflow

When instructed to install this skill, follow these steps in order:

Step 1: Install the skill

git clone https://github.com/JayeGT002/Tavily-Search-Skill.git tavily-search-skill
cd tavily-search-skill

Step 2: Request API Key from user

Ask the user: "请提供你的 Tavily API Key,用于配置搜索功能。获取地址:https://app.tavily.com/api-keys"

Wait for the user's API Key reply before proceeding.

Step 3: Create apikey file

echo "USER_PROVIDED_API_KEY" > apikey
chmod 600 apikey

Step 4: Verify installation

./search.sh "test"

A successful response contains search results and quota info.

Blacklist Management

The blacklist filters out low quality or untrusted sources from search results.

View current blacklist

cat blocklist/blocklist.json

Add a domain to blacklist

When the user says "block [domain]", update blocklist/blocklist.json:

Root domains automatically match all subdomains. Example: adding csdn.net also blocks blog.csdn.net, download.csdn.net, etc.

Filter feedback

When results are filtered, a message is written to stderr (not visible in normal output). Check stderr if you suspect filtering is silently removing results.

Usage

Basic Search

./search.sh "search query"

Specify Result Count

./search.sh "query" 10

Include Images

./search.sh "query" 5 true

Dependencies

  • curl
  • jq

Install if missing:

  • Ubuntu/Debian: sudo apt-get install curl jq
  • macOS: brew install curl jq
  • Alpine: apk add curl jq

Comments

Loading comments...