Chen Tavily Search
Web search using Tavily's LLM-optimized API. Returns relevant results with content snippets, scores, and metadata.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 65 · 1 current installs · 1 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, SKILL.md, and scripts/search.mjs are coherent: the script needs node and an API key and calls https://api.tavily.com/search to return results. Requiring 'node' is expected. However, the registry metadata lists a long string that looks like an API key as a required env var and as primaryEnv rather than a variable name (e.g., TAVILY_API_KEY), which is inconsistent with the actual code and SKILL.md.
Instruction Scope
SKILL.md instructs only how to supply an API key, set options, and run the included Node script. The script reads only process.env.TAVILY_API_KEY and CLI args, posts search requests to api.tavily.com, and prints results. It does not attempt to read unrelated files, credentials, or system paths.
Install Mechanism
This is an instruction-only skill with a small included Node script and no install spec. No downloads or archive extraction are requested. Risk from installation is low.
Credentials
The manifest/metadata declares a long API-key-looking string as a required env var and as primaryEnv instead of declaring the variable name (TAVILY_API_KEY). SKILL.md and the script correctly expect the TAVILY_API_KEY environment variable. This mismatch could be an accidental misconfiguration, or it could indicate an embedded/hardcoded developer key in the manifest—either way it is disproportionate and should be clarified. If the listed string is a real reusable key, it could be abused by anyone using the skill.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system settings. It does not require persistent agent-level privileges beyond normal execution.
Scan Findings in Context
[no_regex_findings] expected: The static regex scanner reported no findings. The included script is small and uses fetch to call the Tavily API; absence of findings is consistent with the code, but does not negate the manifest inconsistencies described above.
What to consider before installing
The code itself behaves like a normal Tavily search client (it expects TAVILY_API_KEY and calls api.tavily.com). However, the skill metadata incorrectly lists a concrete API-key-looking string as a required environment variable and primary credential instead of the env var name. Before installing: (1) Do not assume the long string in the manifest is a safe default key — treat it as potentially sensitive. Prefer supplying your own API key via TAVILY_API_KEY or the OpenClaw skill config. (2) Verify the skill owner and homepage (https://tavily.com) and confirm the correct variable name (TAVILY_API_KEY). (3) Contact the publisher to fix the manifest misconfiguration or to confirm whether the embedded key is intentional; if you or your organization already used the embedded key, rotate it. (4) Only proceed if you trust Tavily and the skill publisher. The skill is not clearly malicious, but the manifest/key inconsistencies are suspicious and should be resolved first.scripts/search.mjs:81
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔍 Clawdis
Binsnode
Envtvly-dev-2RpjXu-07BOK5DRBzn9yj29PwVBtpVoeqgwY8P2bRaqvmMs5G
Primary envtvly-dev-2RpjXu-07BOK5DRBzn9yj29PwVBtpVoeqgwY8P2bRaqvmMs5G
SKILL.md
Tavily Search
Search the web and get relevant results optimized for LLM consumption.
Authentication
Get your API key at https://tavily.com and add to your OpenClaw config:
{
"skills": {
"entries": {
"tavily-search": {
"enabled": true,
"apiKey": "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"
}
}
}
}
Or set the environment variable:
export TAVILY_API_KEY="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"
Quick Start
Using the Script
node {baseDir}/scripts/search.mjs "query"
node {baseDir}/scripts/search.mjs "query" -n 10
node {baseDir}/scripts/search.mjs "query" --deep
node {baseDir}/scripts/search.mjs "query" --topic news
Examples
# Basic search
node {baseDir}/scripts/search.mjs "python async patterns"
# With more results
node {baseDir}/scripts/search.mjs "React hooks tutorial" -n 10
# Advanced search
node {baseDir}/scripts/search.mjs "machine learning" --deep
# News search
node {baseDir}/scripts/search.mjs "AI news" --topic news
# Domain-filtered search
node {baseDir}/scripts/search.mjs "Python docs" --include-domains docs.python.org
Options
| Option | Description | Default |
|---|---|---|
-n <count> | Number of results (1-20) | 10 |
--depth <mode> | Search depth: ultra-fast, fast, basic, advanced | basic |
--topic <topic> | Topic: general or news | general |
--time-range <range> | Time range: day, week, month, year | - |
--include-domains <domains> | Comma-separated domains to include | - |
--exclude-domains <domains> | Comma-separated domains to exclude | - |
--raw-content | Include full page content | false |
--json | Output raw JSON | false |
Search Depth
| Depth | Latency | Relevance | Use Case |
|---|---|---|---|
ultra-fast | Lowest | Lower | Real-time chat, autocomplete |
fast | Low | Good | Need chunks but latency matters |
basic | Medium | High | General-purpose, balanced |
advanced | Higher | Highest | Precision matters, research |
Tips
- Keep queries under 400 characters - Think search query, not prompt
- Break complex queries into sub-queries - Better results than one massive query
- Use
--include-domainsto focus on trusted sources - Use
--time-rangefor recent information - Filter by
score(0-1) to get highest relevance results
Files
3 totalSelect a file
Select a file to preview.
Comments
Loading comments…