ClawHub

Tavily

v0.0.3

Web search and content extraction using Tavily Search/Extract/Research APIs (Bearer auth). Use when you need web results (general/news/finance), date/topic/d...

0· 339·3 current·3 all-time
bychaid@doahc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, SKILL.md, and the required env var (TAVILY_API_KEY) are consistent with a web search/extraction integration that calls api.tavily.com. The functionality requested (search, extract, research) justifies the single API key.
Instruction Scope
SKILL.md stays on-topic: it instructs the agent to use the bundled CLI or curl to call Tavily endpoints and only references TAVILY_API_KEY. It suggests placing the key in ~/.hermes/.env (guidance only). Note: the documentation files reference additional domains (docs.tavily.com, mintcdn.com for images) even though outbound_hosts lists only api.tavily.com; this is likely benign documentation content but worth confirming that the runtime code does not call other hosts.
Install Mechanism
There is no install spec (instruction-only), which is low risk. However the bundle includes a Python script (scripts/tavily.py) that the SKILL.md tells you to run with python3. The registry metadata lists 'required binaries: none' while the instructions assume python3 is available—this is a minor mismatch and the included script should be inspected before execution.
Credentials
Only a single credential (TAVILY_API_KEY) is required, which is proportionate to the stated purpose. Minor inconsistency: top-level registry metadata shows 'Primary credential: none', but SKILL.md declares primary_credential: TAVILY_API_KEY—this is an administrative mismatch to resolve but not a functional red flag.
Persistence & Privilege
The skill does not request always:true or any persistent/system-wide privileges. It has no install step that writes to system locations. Running the included script will execute network calls (normal for this skill) but there is no evidence it modifies other skills or agent-wide settings.
Scan Findings in Context
[pre-scan-injection-signals-none] expected: The static pre-scan reported no injection signals. That is consistent with an instruction-only search/extract skill. However the bundled Python script's content was not provided for full review here—inspect it before running.
Assessment
This skill appears to do what it says: call Tavily APIs using a single TAVILY_API_KEY. Before installing or running it, do the following: 1) Inspect scripts/tavily.py yourself (or have someone you trust review it) to confirm it only sends requests to api.tavily.com and does not read or transmit other local files or credentials. 2) Confirm you are comfortable storing TAVILY_API_KEY in your Hermes environment and that the key has appropriate access/scopes. 3) Note the small metadata mismatches (primary credential field, 'required binaries' vs instructions calling python3) and the referenced documentation hosts (docs.tavily.com, mintcdn.com) — verify these are only for docs/assets and not used at runtime. If you cannot review the bundled script, treat execution as higher risk and consider using curl against api.tavily.com directly as shown in the SKILL.md.

Like a lobster shell, security has layers — review code before you run it.

latestvk976aknbv99cjwa6ka0wkeg2rd82bjkg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvTAVILY_API_KEY

Comments