tavily-search

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI03: Identity and Privilege Abuse

What this means

Searches may use the user's Tavily account, quota, billing, or rate limits, and the API key should be protected.

Why it was flagged

The helper uses a Tavily API key from the environment to make service calls. This is expected for the stated purpose, but it is still account credential use.

Skill content

api_key = os.getenv("TAVILY_API_KEY")
...
client = TavilyClient(api_key=api_key)

Recommendation

Use a dedicated/revocable Tavily key, avoid exposing it in shared code or logs, and revoke it if it is accidentally disclosed.

Note

ASI07: Insecure Inter-Agent Communication

What this means

Sensitive search terms or confidential context included in a query may leave the local environment and be processed by Tavily.

Why it was flagged

User-provided search queries are sent to the external Tavily provider. This is central to the skill's purpose and is disclosed by the skill description.

Skill content

response = client.search(
            query=args.query,

Recommendation

Do not include secrets or unnecessary private data in search queries, and review Tavily's data handling terms if using it for sensitive work.

Note

ASI06: Memory and Context Poisoning

What this means

A malicious or low-quality web page could influence the agent's answer if the agent treats retrieved text as instructions instead of evidence.

Why it was flagged

The skill documents a RAG pattern that places retrieved web content into model context. This is purpose-aligned, but retrieved web text can be untrusted or manipulative.

Skill content

# Use context directly in LLM prompts
prompt = f"""Based on the following context:
{context}

Recommendation

Treat Tavily results as untrusted source material, ask the agent to cite sources, and do not let instructions inside web snippets override the user's task or safety rules.

Note

ASI06: Memory and Context Poisoning

What this means

Search queries and result content may be stored locally in the user's cache directory, which could matter for sensitive research topics.

Why it was flagged

The fast helper writes search responses to a local cache directory. The cache validity is short, but stale files may remain on disk unless cleaned up.

Skill content

CACHE_DIR = Path.home() / ".cache" / "tavily_search"
...
json.dump({
                'timestamp': time.time(),
                'data': data
            }, f)

Recommendation

Use the --no-cache option for sensitive searches or periodically clear ~/.cache/tavily_search.

Note

ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installing an unpinned package may pull whatever version is current from the package index, which can change over time.

Why it was flagged

The documented dependency installation is unpinned and not captured by an install spec. This is a normal dependency for the skill, but it depends on the package source at install time.

Skill content

tavily-python package installed (`pip install tavily-python`)

Recommendation

Install tavily-python from a trusted source and consider pinning a known-good version in managed environments.