Chen Tavily Search

The skill bundle contains a hardcoded Tavily API key (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) exposed within the SKILL.md documentation and the _meta.json metadata fields. While the core logic in scripts/search.mjs is a functional wrapper for the Tavily API and lacks evidence of intentional malice or data exfiltration, the inclusion of active credentials constitutes a significant security vulnerability and improper secret management.