Back to skill

Security audit

Tavily Extract

Security checks across malware telemetry and agentic risk

Overview

This skill coherently extracts user-provided URLs through Tavily, with expected third-party API and authentication behavior that should be reviewed before use.

Install only if you are comfortable sending the URLs, query text, and extraction options you provide to Tavily under your account. Avoid using it for private, internal, authenticated, regulated, or confidential URLs unless that sharing is approved, and review the OAuth/token cache behavior on shared machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill documentation instructs users to run a shell script (`./scripts/extract.sh`) and perform network operations, but the skill metadata shown here declares no corresponding permissions. This mismatch can mislead users and security tooling about the skill's actual capabilities, reducing informed consent and making external calls harder to govern.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill is explicitly designed to send user-provided URLs, queries, and extracted page content to Tavily's external API, but it does not clearly warn users about third-party data sharing. This creates a privacy and compliance risk if users provide sensitive URLs, internal endpoints, proprietary queries, or confidential page targets.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The authentication section says browser-based OAuth will open automatically and tokens are stored in `~/.mcp-auth/`, but it does not clearly warn users that local credentials will be created and persisted on disk. This omission can surprise users on shared systems and increase the chance of unintended account linkage or token exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script searches the user's local MCP auth cache and silently reuses any Tavily OAuth access token it finds. This is a real security/privacy issue because it accesses local credentials without explicit disclosure or consent in the interface, which can surprise users and cause unintended use of cached account authority.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends user-supplied URLs/query data together with an authorization bearer token to Tavily's remote MCP endpoint, but does not provide an explicit warning at the interface that data will leave the local environment. In an agent-skill context, this matters because users may assume local processing and could inadvertently transmit sensitive URLs, prompts, or account-linked credentials to a third party.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.