Literature Search Workflow
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its literature-search purpose, but it embeds an undeclared Tavily API key and sends searches to Tavily, so credential and privacy handling should be reviewed.
Before installing, review or remove the bundled Tavily API key and configure your own TAVILY_API_KEY. Avoid submitting sensitive or confidential search queries unless you are comfortable sending them to Tavily.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run as-is, searches may use a bundled Tavily credential, which can create ambiguity around account ownership, quotas, logging, privacy, and revocation.
The script embeds a default provider API key instead of requiring the user to supply one through a declared secret or environment variable. This creates unclear credential ownership and user control.
TAVILY_API_KEY = os.getenv('TAVILY_API_KEY', 'tvly-dev-h63...')Remove the embedded default key, declare TAVILY_API_KEY as a required credential, and require users to provide their own key through a standard secret mechanism.
Search terms, which may reveal research interests or sensitive topics, leave the local environment and are processed by Tavily.
The workflow sends the user's literature-search query to Tavily's external API. This is expected for the skill's purpose, but it is still an external provider data flow.
url = "https://api.tavily.com/search" ... requests.post(url, json=data, headers=headers, timeout=30)
Use the skill only with queries you are comfortable sending to Tavily, and document the provider data flow clearly for users.