ClawHub

Tavily Search

PassAudited by VirusTotal on May 8, 2026.

Overview

Type: OpenClaw Skill Name: tavily-search-aisa-api Version: 1.0.0 The skill is a legitimate search tool that interfaces with the AIsa API (api.aisa.one). The Python script `scripts/search_client.py` uses standard libraries to perform web searches and content extraction as described in `SKILL.md`, with no evidence of data exfiltration, malicious execution, or prompt injection.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note
ASI03: Identity and Privilege Abuse
What this means

Searches may consume the user's AIsa credits or quota, and the API key should be treated as a sensitive credential.

Why it was flagged

The skill requires an API key for the AIsa service, so invocations run under the user's AIsa account.

Skill content
primaryEnv: AISA_API_KEY ... requires: env: - AISA_API_KEY
Recommendation

Use a revocable, least-privileged API key if available, keep it out of logs and shared shells, and monitor account usage.

Note
ASI07: Insecure Inter-Agent Communication
What this means

Any query text, URLs submitted for extraction, and generated search context may be shared with the AIsa service.

Why it was flagged

The client sends user-provided search queries and the bearer API key to the external AIsa API, which is expected for this search integration.

Skill content
AISA_BASE = "https://api.aisa.one/apis/v1" ... "Authorization": f"Bearer {api_key}" ... "query": args.query
Recommendation

Avoid sending secrets, private documents, or sensitive personal information as search queries or extraction URLs unless you are comfortable sharing them with the provider.

Note
ASI02: Tool Misuse and Exploitation
What this means

If the agent or user invokes these other modes, the skill may contact additional AIsa endpoints and process more data than a simple Tavily search.

Why it was flagged

The bundled script supports additional AIsa search, extraction, and synthesis subcommands beyond the Tavily-only usage emphasized in SKILL.md.

Skill content
Usage:\n    python3 search_client.py web ... scholar ... smart ... tavily ... extract ... sonar ... verity
Recommendation

If you only want Tavily search, instruct the agent to use the `tavily` subcommand and confirm before using extract, sonar, or multi-source verity modes.