Tavily Search

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI03: Identity and Privilege Abuse

What this means

Searches may consume the user's Tavily quota or be associated with their Tavily account.

Why it was flagged

The skill requires a Tavily API key, which is expected for using Tavily's Search API, but it means requests are made under the user's Tavily account.

Skill content

Set your API key as an environment variable: export TAVILY_API_KEY=tvly-...

Recommendation

Use a Tavily API key intended for this purpose and monitor usage or billing as appropriate.

Note

ASI07: Insecure Inter-Agent Communication

What this means

Anything placed in the search JSON, including query text, is sent to Tavily.

Why it was flagged

The skill sends the provided search JSON to Tavily's external API. This is core to the skill's purpose and is disclosed, but it is still an external data flow.

Skill content

printf '%s' "$JSON_INPUT" | curl -s --request POST --url "https://api.tavily.com/search"

Recommendation

Do not include secrets, credentials, or sensitive personal information in search requests.