ClawHub

Tavily Search

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Tavily web search and research skill, but it needs Review because normal use can automatically read local OAuth tokens and launch an unpinned npm OAuth helper.

Install only if you are comfortable with Tavily receiving your queries and URLs, the skill reading Tavily OAuth tokens from ~/.mcp-auth, and first-run auth potentially launching an npm-based helper. Prefer setting TAVILY_API_KEY explicitly, avoid submitting secrets or internal-only URLs, and bound crawl output paths and limits carefully.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (28)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill declares a shell capability via example/script execution (`bash` and `./search/scripts/search.sh`) but does not declare corresponding permissions, which weakens the trust boundary and prevents users from understanding what execution powers the skill has. Even if the shell use is intended for benign search operations, undeclared execution capability can be abused by modified scripts or unexpected command paths.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented behavior presents the skill as a search integration, but the detected functionality expands into crawling, extraction, OAuth token access from local storage, auth-flow launching, and writing fetched content to local files. This mismatch is dangerous because users may consent to a simple search tool without realizing it can access local credentials, perform broader network actions, and persist data locally, increasing the chance of credential exposure or unintended data handling.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script searches the user's MCP auth cache in $HOME/.mcp-auth and automatically reuses any Tavily-issued access token it finds, even though this behavior is not clearly disclosed at the point of use. Accessing unrelated local credential stores expands the skill's authority beyond a simple crawl/search wrapper and can surprise users by silently consuming cached secrets.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
When no API key is present, the script launches an external npm-based helper (npx mcp-remote) to drive an OAuth flow. Spawning a network-downloaded helper and opening an authentication flow is a capability escalation beyond straightforward crawling, and it may install/execute third-party code without a clear user warning.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script goes beyond simple extraction by automatically searching the user's local MCP auth cache and, if needed, launching an OAuth helper to obtain credentials. This can silently leverage existing tokens or trigger new authentication flows without clear user consent, creating an unexpected credential-access behavior that expands the trust boundary of the skill.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script searches the user's local MCP auth cache and automatically reuses any Tavily bearer token it finds, without explicit consent at execution time. Although it filters by issuer and expiry, this still crosses a security boundary by repurposing locally cached credentials for a new network action, which can surprise users and enable unintended account/data access.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script silently launches an external OAuth/login flow via `npx -y mcp-remote` when no API key is present. This causes code/package retrieval and browser-based authentication side effects that a user may not expect from a local research helper, increasing exposure to supply-chain and consent issues.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script recursively scans the user's local ~/.mcp-auth cache and automatically reuses any token whose JWT payload merely claims the Tavily issuer and is unexpired. This crosses a trust boundary by harvesting credentials from unrelated local auth state without explicit user consent, and the JWT check does not verify the signature, so token acceptance is based on unauthenticated claims. In a search skill, silently discovering and using cached OAuth credentials is more dangerous because users may expect only the provided query to be used, not local credential stores to be mined.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
When no API key is set, the script automatically launches an external helper via 'npx -y mcp-remote' and initiates a browser-based OAuth flow. This introduces supply-chain and execution risk because it pulls and runs remote package code at runtime, and it can surprise the user by spawning authentication and browser activity from a search helper. The behavior is especially risky in an agent skill context where users may not expect arbitrary external process execution as part of a simple search request.

Vague Triggers

Medium
Confidence
78% confidence
Finding
Broad trigger phrases such as generic terms like 'search' and 'news' can cause the skill to activate during ordinary conversation, increasing the chance of unintended execution. In a skill with shell-backed actions and broader-than-advertised capabilities, accidental invocation raises the risk of surprise network requests, auth prompts, or file operations.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The skill description is broad enough to encourage crawling 'any website' with minimal constraints, which can cause the agent to trigger on loosely related requests and perform high-impact network actions without sufficient scoping. In a skill that downloads remote content and can save it locally, ambiguous invocation criteria materially increase the risk of over-collection, unintended third-party access, and misuse against sensitive or prohibited targets.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly promotes saving crawled pages as local markdown files but does not prominently warn about filesystem writes, storage growth, sensitive-content retention, or the legal/privacy implications of bulk website collection. Because this skill combines remote retrieval with local persistence, the missing warning makes accidental data hoarding and unsafe handling of third-party content more likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script reads OAuth tokens from the user's MCP auth cache without an explicit user-facing warning where that access occurs. Silent credential harvesting from local caches undermines informed consent and makes it harder for users to understand why a remote request succeeds with private tokens.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends user-provided crawl arguments and an authentication bearer token to the remote Tavily MCP endpoint, but the help text does not clearly warn that inputs are transmitted off-host. For a search/research skill, remote transmission is expected, but lack of disclosure still creates privacy and consent risk, especially if users pass sensitive URLs or instructions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documentation does not clearly warn users that submitted URLs and the resulting extracted page content are transmitted to Tavily's external service. This creates a real data-handling and privacy risk because users may provide sensitive internal links or regulated content without informed consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script reads cached OAuth tokens from the user's home directory without prominently warning the user in normal usage output. Even though it filters for Tavily issuer and expiry, the undisclosed access to local credential stores is a security-sensitive behavior that can surprise users and violate least astonishment.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits user-supplied URLs, queries, and authentication material to a remote Tavily MCP endpoint, but the main interface does not clearly warn users that their input will be sent off-host. In a search/extraction skill this transmission is expected, but lack of explicit notice still creates privacy and data-handling risk, especially if sensitive URLs or queries are passed.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The skill documentation states that OAuth is automatic and that the browser may be opened, but it frames this as seamless setup rather than as a security-relevant action involving use of stored tokens from ~/.mcp-auth/. In an agent context, implicit token reuse and automatic browser launch can surprise users, trigger unintended authentication flows, or cause them to authorize actions without understanding that existing credentials may be consumed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script reads OAuth access tokens from the user's MCP auth cache without a user-facing warning or consent prompt at the moment of access. Even if used only for Tavily, silently collecting cached secrets is sensitive behavior and can violate user expectations and privacy boundaries.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends the user's research query and bearer authentication token to Tavily's remote MCP endpoint without a clear privacy/data-transmission warning tied to that operation. In a research skill, queries may contain sensitive proprietary or personal data, so silent transmission creates a meaningful confidentiality risk.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The skill metadata and description are broad enough to trigger on ordinary requests like 'search' or 'news', which can cause the agent to invoke this external-search skill unexpectedly. In context, that increases the chance that user prompts or sensitive task context are sent to a third-party service without deliberate user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The authentication and onboarding section does not clearly warn that queries, filters, and optionally full page content are transmitted to Tavily, a third-party service. This omission is risky because users may provide sensitive data or enable raw-content retrieval without understanding the external data exposure and associated privacy implications.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The Google ADK integration shows connecting an agent to Tavily's remote MCP server and enabling search, extraction, mapping, and crawling, but it does not warn that user prompts, URLs, and retrieved page content may be sent to external services. In an agent skill context, this can cause unintentional disclosure of sensitive data because developers may wire the tool into workflows without understanding the data-sharing boundary.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The Hybrid RAG example demonstrates sending user queries to Tavily and potentially persisting externally sourced results into a local database, but it provides no warning about privacy, consent, data classification, or handling of sensitive local content. In a search/research skill, this can lead developers to unknowingly route proprietary or personal data to third-party services or mix external content into internal stores without governance.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The LLM verification example forwards URL, title, and search-result content to a third-party model provider without any warning, minimization, or consent flow. In an agent skill focused on web research, users may paste sensitive research targets or proprietary findings; sending full result content onward can unintentionally disclose personal, confidential, or regulated data to another external service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal