ClawHub

tavily-search-up

Security checks across malware telemetry and agentic risk

Overview

This is a Tavily-powered search and webpage extraction skill that sends user-provided queries or URLs to Tavily as expected, with privacy caution but no evidence of hidden or destructive behavior.

Install only if you are comfortable sending search terms, webpage URLs, and extraction targets to Tavily. Avoid using it with secrets, private internal URLs, pre-signed links, or confidential research topics unless external Tavily processing is acceptable for your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (9)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script transmits user-supplied URLs and the API credential to an external service without any explicit consent flow, warning, or privacy disclosure. In a skill context, users may assume local processing, so sending potentially sensitive targets to a third party can leak internal URLs, investigation targets, or other confidential metadata.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends both the user-provided query and the Tavily API key to an external third-party service, but it does not clearly disclose that network transmission will occur or what data leaves the local environment. In an agent skill context, users may assume a local search helper; undisclosed external transmission can expose sensitive prompts, internal project names, or confidential research terms.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends both the user-provided query and the Tavily API key to an external third-party service, but the code provides no user-facing disclosure or consent flow before transmitting the query. In a skill context, this matters because users may assume local processing for 'sentiment analysis' while their input is actually exfiltrated to a remote provider, creating privacy and data-handling risk.

External Transmission

Medium
Category
Data Exfiltration
Content
process.exit(1);
}

const resp = await fetch("https://api.tavily.com/extract", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({ api_key: apiKey, urls: [url] }),
Confidence
94% confidence
Finding
fetch("https://api.tavily.com/extract", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
process.exit(1);
}

const resp = await fetch("https://api.tavily.com/extract", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({ api_key: apiKey, urls: [url] }),
Confidence
94% confidence
Finding
https://api.tavily.com/

External Transmission

Medium
Category
Data Exfiltration
Content
console.log(`\n🔍 **正在深潜互联网寻找关于 "${query}" 的答案...**\n`);

const resp = await fetch("https://api.tavily.com/search", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
Confidence
90% confidence
Finding
fetch("https://api.tavily.com/search", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
console.log(`\n🔍 **正在深潜互联网寻找关于 "${query}" 的答案...**\n`);

const resp = await fetch("https://api.tavily.com/search", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
Confidence
90% confidence
Finding
https://api.tavily.com/

External Transmission

Medium
Category
Data Exfiltration
Content
process.exit(1);
}

const resp = await fetch("https://api.tavily.com/search", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
Confidence
87% confidence
Finding
fetch("https://api.tavily.com/search", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
process.exit(1);
}

const resp = await fetch("https://api.tavily.com/search", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
Confidence
87% confidence
Finding
https://api.tavily.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal