Literature Search Workflow
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run as-is, searches may use a bundled Tavily credential, which can create ambiguity around account ownership, quotas, logging, privacy, and revocation.
The script embeds a default provider API key instead of requiring the user to supply one through a declared secret or environment variable. This creates unclear credential ownership and user control.
TAVILY_API_KEY = os.getenv('TAVILY_API_KEY', 'tvly-dev-h63...')Remove the embedded default key, declare TAVILY_API_KEY as a required credential, and require users to provide their own key through a standard secret mechanism.
Search terms, which may reveal research interests or sensitive topics, leave the local environment and are processed by Tavily.
The workflow sends the user's literature-search query to Tavily's external API. This is expected for the skill's purpose, but it is still an external provider data flow.
url = "https://api.tavily.com/search" ... requests.post(url, json=data, headers=headers, timeout=30)
Use the skill only with queries you are comfortable sending to Tavily, and document the provider data flow clearly for users.