tavily-search-zh

Security checks across malware telemetry and agentic risk

Overview

This skill is not destructive, but its included Python client can send queries and URLs to broader AISA search, extraction, model, and synthesis endpoints than the Tavily-only description clearly discloses.

Install only if you want the bundled AISA multi-search client, not just Tavily search. Avoid submitting confidential queries, private/internal URLs, or sensitive documents through extract, sonar, or verity unless AISA’s data handling is acceptable for that content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill declares required environment variables and a Python runtime, and its stated operation is to call an external search service, which implies network access, but it does not explicitly declare permissions for those capabilities. This creates a transparency and governance gap: reviewers and runtime policy engines may underestimate what the skill can access or transmit, especially since it handles an API key and external requests.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The declared purpose is narrow Tavily web search, but the observed behavior reportedly includes multiple unrelated search modes, URL content extraction, Perplexity model calls, result synthesis, and other endpoints. This mismatch is dangerous because it defeats informed consent and policy review: a user or orchestrator may invoke a simple search skill while actually enabling broader data collection, content retrieval, or third-party model exposure.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The implementation materially exceeds the declared Tavily-only skill scope by exposing multiple unrelated search backends and workflows. This scope drift is dangerous because users or higher-level agents may grant trust and permissions based on the manifest, while the code can transmit queries to additional external services and perform actions the operator did not intend.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The extract command accepts arbitrary URLs and sends them to a remote extraction API, then prints raw retrieved content. In an agent setting, this can be abused for unintended data exfiltration, retrieval of internal or sensitive URLs if upstream controls are weak, or processing content far beyond the advertised search-only purpose.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The verity and synthesis logic adds cross-source aggregation, confidence scoring, and LLM-style summarization that are not disclosed by the Tavily-focused skill description. This increases the external data-sharing surface and can cause user queries and retrieved content to be forwarded to more services than expected, creating integrity and privacy risks.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The file-level documentation advertises a broader multi-search client than the skill metadata promises, indicating a mismatch between declared behavior and actual capabilities. Such inconsistencies are security-relevant because reviewers and users may underestimate what the tool can do and what data it can send externally.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger condition is broad enough to overlap with many ordinary search tasks, which increases the chance the skill will be invoked unnecessarily. In context, that matters because this skill uses an external API and an API key, so over-broad activation can cause unintended data disclosure to third parties, unnecessary credential use, and policy bypass relative to simpler local or safer alternatives.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The 'when to use' guidance lacks precise boundaries and concrete exclusions, making accidental or overly permissive activation more likely. Because the skill performs external retrieval and may expose user queries to remote services, ambiguous routing increases the chance that sensitive or unnecessary requests are sent outside the local environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal