Chen Tavily Search
WarnAudited by ClawScan on May 10, 2026.
Overview
The search script mostly matches its Tavily web-search purpose, but the skill exposes a Tavily API key and has inconsistent provenance/credential metadata.
Do not use the bundled API key. If you install this skill, replace the authentication instructions with your own TAVILY_API_KEY, avoid sensitive search queries, and prefer a republished version with consistent metadata and no exposed credential.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may run with a shared or exposed API key, searches may be associated with an unknown account, and the exposed key could be abused or revoked.
The artifact embeds a token-looking Tavily value as the required/primary credential and in the setup example, instead of declaring a variable name and asking the user to provide their own key.
"primaryEnv":"tvly-dev-2RpjXu-..." ... export TAVILY_API_KEY="tvly-dev-2RpjXu-..."
Remove the hardcoded key, rotate it if it is real, declare TAVILY_API_KEY as the required environment variable, and show only placeholder examples such as YOUR_TAVILY_API_KEY.
Users cannot easily confirm that the reviewed package, registry listing, and publisher identity all refer to the same skill.
The embedded metadata names a different owner, slug, and version than the evaluated registry entry for chen-tavily-search version 1.0.0, making package provenance unclear.
"ownerId": "kn724ben7jjrcy3pebw2jbak3s8201cp", "slug": "liang-tavily-search", "version": "1.0.1"
Republish with consistent registry and package metadata, and provide a clear source/provenance trail.
Search queries and selected options are sent to Tavily; users should avoid placing private secrets in search queries.
The skill sends the user’s search query and the Tavily API credential to Tavily’s API, which is expected for this web-search purpose.
await fetch("https://api.tavily.com/search", { ... "Authorization": `Bearer ${apiKey}`, body: JSON.stringify(body) })Use your own Tavily API key and treat search queries as data shared with the Tavily service.