Back to skill

Security audit

Tavily Research

Security checks across malware telemetry and agentic risk

Overview

The skill is for Tavily research and mostly fits that purpose, but it tells the agent to run an unverified remote installer and login flow before use.

Install only if you trust Tavily's CLI installer and are comfortable with it running shell code on your machine. Prefer installing the CLI through a verified package or inspecting the installer first, and confirm where `tvly login` stores credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

External Script Fetching

High
Category
Supply Chain
Content
If `tvly` is not found on PATH, install it first:

```bash
curl -fsSL https://cli.tavily.com/install.sh | bash && tvly login
```

Do not skip this step or fall back to other tools.
Confidence
99% confidence
Finding
curl -fsSL https://cli.tavily.com/install.sh | bash

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.