ClawHub

tavily-extract-zh

Security checks across malware telemetry and agentic risk

Overview

This skill is advertised as a URL text extractor, but the bundled client also exposes broader search and AI synthesis commands.

Review before installing. Use it only if you are comfortable giving the bundled client your AISA_API_KEY and allowing URLs, queries, and retrieved content to be sent to AISA endpoints beyond simple extraction. If installed, invoke only the extract subcommand for URL body extraction and avoid private or sensitive URLs unless you trust that service’s handling of the data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill declares required environment variables and invokes a Python client that performs outbound API calls, but it does not declare explicit permissions for env and network access. This weakens sandboxing and review controls because the runtime capabilities exceed what the manifest transparently communicates, increasing the chance of unintended secret use or network exfiltration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill is presented as a narrow Tavily page-extraction tool, but the referenced behavior indicates much broader search, model-querying, synthesis, and multi-source aggregation capabilities. This mismatch is dangerous because users and policy engines may authorize a low-risk extraction skill while the implementation can perform materially different network actions and process data in ways not disclosed.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The run instructions point to a generic repository client rather than a dedicated extraction-only script, which suggests operators may execute tooling with capabilities beyond the skill's stated purpose. In practice this creates a confused-deputy risk: a seemingly limited skill can inherit broader search or querying features from the shared client and make unintended external requests.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file advertises and implements a broad multi-search and research CLI, while the skill metadata says it should only extract clean page text from provided URLs. This mismatch expands the skill's capabilities beyond user and platform expectations, increasing the risk of unintended data transmission, unauthorized web querying, and misuse in contexts that assumed a narrow extraction-only tool.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The command parser exposes multiple subcommands for web search, scholar search, Tavily search, Perplexity-style querying, and multi-source synthesis even though the skill is described as URL extraction only. In an agent setting, hidden or undocumented capabilities are dangerous because they can be invoked to send user prompts and research targets to external services outside the expected scope.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The verity workflow performs parallel multi-source retrieval, computes confidence scores, and sends aggregated results for AI synthesis via another endpoint. For a URL-body extraction skill, this is unnecessary privilege and data flow expansion that can expose user queries and collected content to additional services without clear justification.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The module docstring explicitly presents the code as a multi-search engine client, contradicting the manifest's extraction-only purpose. Documentation mismatch is a security issue in agent ecosystems because review, policy gating, and user consent often rely on the declared function of the skill.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal