tavily-research-pro
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward Tavily research/search skill, with expected Tavily API use, though users should notice that their queries, URLs, and Tavily API key are sent to Tavily and one metadata-named file is oddly packaged as code.
This skill is reasonable to install if you intend to use Tavily for research. Before installing, confirm you trust the publisher/source, use an appropriate Tavily API key, and avoid submitting sensitive queries or private URLs unless you are comfortable sending them to Tavily.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill consumes and exposes your Tavily API key to Tavily for authenticated API requests, which is expected for this integration.
The skill reads the Tavily API key from the environment and sends it to the official Tavily API endpoint as part of normal provider authentication.
const apiKey = (process.env.TAVILY_API_KEY ?? "").trim(); ... body: JSON.stringify({ api_key: apiKey, query: query, ... })Use a Tavily key you are comfortable using with this skill, monitor usage/billing, and rotate the key if you no longer trust the installation.
Search terms and target URLs you provide may be visible to Tavily and processed under Tavily's service terms.
The artifact clearly discloses that user queries and URLs are sent to an external provider for search and extraction.
This skill transmits user-provided search queries and specified target URLs to `api.tavily.com` for processing and information extraction.
Avoid putting secrets, private internal URLs, or sensitive unpublished research details into queries or extraction URLs unless you intend to send them to Tavily.
The package layout is somewhat confusing and could make it harder to tell which files are metadata versus executable code.
A file named as JSON metadata actually contains runnable Node.js search code, creating a packaging/provenance inconsistency even though the code itself matches the skill's stated Tavily-search behavior.
#!/usr/bin/env node
// 高级搜索工具 - 增强安全合规版
...
const resp = await fetch("https://api.tavily.com/search", {Prefer a corrected package where _meta.json is valid metadata, or review this file before installation; no hidden non-Tavily endpoint or automatic execution is shown in the provided artifacts.