ClawHub

Tavily Research

Security checks across malware telemetry and agentic risk

Overview

This research skill does what it claims, but it should be reviewed because it automatically reuses local Tavily login tokens and can fetch-run an npm helper during authentication.

Install only if you are comfortable sending research prompts to Tavily and allowing the skill to reuse a Tavily token from your local MCP auth cache. Prefer setting `TAVILY_API_KEY` yourself, avoid secrets or private data in research queries, and review the automatic OAuth path before relying on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script enumerates cached OAuth tokens from ~/.mcp-auth, selects one based on JWT claims, and silently repurposes it as TAVILY_API_KEY. It also initiates an interactive OAuth flow if no token is present. In a skill context, accessing local credential caches and triggering login flows without explicit user consent is a real security and privacy concern because it broadens credential access beyond the immediate command input.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script searches the user's home directory for cached MCP OAuth tokens and exports a discovered token for API use without an explicit disclosure in the execution path. Even though it filters for the Tavily issuer and expiration, the sensitive behavior is still credential harvesting from local storage, which can surprise users and violate least-astonishment and least-privilege expectations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script transmits user-provided research queries and an authorization bearer token to a remote service over HTTPS without an explicit privacy warning or consent gate. While external transmission is expected for a research tool, it is still a genuine data exposure surface because queries may contain sensitive internal information and the request includes active credentials.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal