ClawHub

Tavily Research

v1.0.0

Comprehensive research grounded in web data with explicit citations. Use when you need multi-source synthesis—comparisons, current events, market analysis, d...

0· 355·3 current·6 all-time
by@evanydl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill claims to perform web-grounded research and uses Tavily's MCP endpoint (https://mcp.tavily.com/mcp) to do so. Requiring a Tavily token or API key and consulting an MCP auth cache (~/.mcp-auth) is coherent with that purpose; no unrelated services or credentials are requested.
Instruction Scope
Runtime instructions and the included script stick to conducting research via Tavily's MCP. The script reads ~/.mcp-auth for *_tokens.json and may launch an OAuth flow (via npx mcp-remote). Minor issues: SKILL.md suggests adding TAVILY_API_KEY to ~/.claude/settings.json as an alternative, but the script does not parse that file (it respects the TAVILY_API_KEY environment variable). The script also assumes utilities (jq, curl, base64, date, find, npx) are available but the skill manifest does not declare required binaries.
Install Mechanism
There is no install spec (instruction-only with an included helper script), so nothing is permanently installed by the skill bundle. The script may invoke npx at runtime (which transiently fetches an npm package) but there is no packaged download that writes arbitrary archives to disk.
Credentials
The script legitimately needs a Tavily credential (TAVILY_API_KEY or an OAuth token in ~/.mcp-auth). However, the skill metadata did not declare a primary credential or required env var; the SKILL.md documents the API key option but the registry fields omit it. The script's access is limited to the user's home auth cache (~/.mcp-auth) and the Tavily endpoint, which is proportional to the purpose but should be declared explicitly.
Persistence & Privilege
The skill is not force-included (always: false), does not attempt to modify other skills or global agent configuration, and does not request elevated or persistent system privileges. OAuth flow spawns a short-lived npx process but that's normal for an OAuth helper.
Assessment
What to consider before installing: - This skill will send your research queries to Tavily (https://mcp.tavily.com). Only use it if you trust Tavily to handle the content you submit. - The script tries to reuse OAuth tokens from ~/.mcp-auth and will also open a browser OAuth flow (via npx mcp-remote) if no token is found. Expect a transient npm download when the OAuth helper runs. - The script expects command-line tools (jq, curl, base64, date, find, npx) but the skill metadata doesn't list these requirements — ensure they exist before running. - The SKILL.md suggests setting TAVILY_API_KEY in ~/.claude/settings.json as an option; the script only honors the TAVILY_API_KEY environment variable or tokens in ~/.mcp-auth. If you prefer to avoid the OAuth flow, set TAVILY_API_KEY in your environment beforehand. - Because source/homepage are not provided in the registry metadata, exercise normal caution: review the script (you already did) and confirm the mcp domain and issuer string (script checks iss == "https://mcp.tavily.com/") match the official service you intend to use. - Avoid sending highly sensitive secrets or proprietary data through the skill unless you have verified and accepted Tavily's data handling policies. If you want higher assurance, ask the publisher for a homepage or signed source, or run the script in an isolated environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a79h815sfsrvq3rr7mty6t582mvjj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments