Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tavily Skill.Bak
v1.0.0Use Tavily API for real-time web search and content extraction. Use when: user needs real-time web search results, research, or current information from the...
⭐ 0· 47·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, SKILL.md, and tavily-search.sh consistently implement a Tavily web-search integration using curl and jq, which matches the stated purpose. However, the registry metadata lists no required environment variables or primary credential even though the script and documentation require TAVILY_API_KEY; also _meta.json's ownerId differs from the registry owner ID. These metadata mismatches are inconsistent with the stated purpose.
Instruction Scope
SKILL.md and the script limit actions to forming POST requests to https://api.tavily.com/search and printing JSON via jq. The script only reads the TAVILY_API_KEY environment variable and command-line args. There are no instructions to read unrelated files, exfiltrate data to other endpoints, or perform system-wide operations.
Install Mechanism
This is an instruction-only skill with a small shell script and no install spec; nothing is downloaded or written automatically. No high-risk install URLs or archive extraction are present.
Credentials
The skill clearly requires a Tavily API key (TAVILY_API_KEY) per SKILL.md and tavily-search.sh, but the registry's declared required env vars/primary credential fields are empty. Requesting an API key is proportionate to the skill's purpose, but the omission from metadata is a mismatch that could hide what credentials will be used. Also SKILL.md suggests adding the key to an openclaw.json config — that may store secrets persistently and should be considered riskier than using an environment variable.
Persistence & Privilege
The skill does not request persistent 'always' inclusion and does not modify other skills or system configuration. It does not write files or attempt to store credentials itself; it only instructs the user how to set them.
What to consider before installing
The functionality appears to be a simple Tavily API wrapper and the script is short and readable, but there are metadata inconsistencies you should resolve before installing: 1) The skill requires TAVILY_API_KEY (per SKILL.md and tavily-search.sh) yet the registry metadata lists no required credentials — ask the publisher to correct the metadata so required env vars and primary credential are explicit. 2) The ownerId in _meta.json does not match the registry owner ID — verify the publisher's identity or source. 3) Prefer setting the API key in an environment variable rather than storing it in openclaw.json unless you trust that config file's storage and access controls. 4) Inspect or run the included tavily-search.sh in a sandbox to confirm it only calls api.tavily.com and jq, and ensure curl and jq are from trusted system packages. If the publisher cannot explain or fix the metadata/owner mismatch, treat installation as higher risk.Like a lobster shell, security has layers — review code before you run it.
latestvk97b4ktwgjzvkt8brxs0txmv5x83phn9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔍 Clawdis
Binscurl, jq