ClawHub

Tavily Search Secure

v1.0.0

Tavily API ile güvenli web arama ve URL içerik çıkarma yap. Use when: hızlı web araştırması, kaynaklı sonuç toplama, belirli URL'lerden metin çekme ve özetle...

0· 883·6 current·8 all-time
by@fabekar·fork of @arun-8687/tavily-search (1.0.0)
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, SKILL.md, and the two scripts are coherent: both scripts call https://api.tavily.com (search and extract) and implement the functionality described. However, the registry metadata lists no required environment variables while the SKILL.md and scripts clearly require TAVILY_API_KEY — a bookkeeping/integrity mismatch.
Instruction Scope
SKILL.md directs the agent to run the provided node scripts with a TAVILY_API_KEY. The scripts only perform network calls to api.tavily.com, validate and sanitize inputs, and output results. They explicitly avoid printing the API key and perform host/IPv4/IPv6 checks to block localhost/private addresses (reducing SSRF risk). The scripts do not read other files or secrets.
Install Mechanism
No install spec (instruction-only + included scripts). No external downloads or package installs; code ships in the skill bundle. Risk from install mechanism is low.
!
Credentials
Functionally the skill only needs one credential (TAVILY_API_KEY), which is proportionate. But the registry metadata incorrectly lists 'Required env vars: none' and 'Primary credential: none' while SKILL.md and the scripts require TAVILY_API_KEY. That mismatch could be accidental but makes it harder to audit/automate safe deployment and lowers trust. Also there is no homepage or known source listed to verify the Tavily API/service.
Persistence & Privilege
always:false and no behavior that modifies other skills or system settings. The skill does not ask to persist tokens or change agent configuration. Autonomous invocation is enabled by default (normal) but not combined with other red flags here.
What to consider before installing
This skill's code appears to do what it says: call Tavily's search/extract endpoints and enforce URL safety checks. Before installing: (1) verify the TAVILY_API_KEY will be provided and treat it as sensitive — the scripts send it to api.tavily.com in request bodies; do not reuse high-privilege keys. (2) Confirm the Tavily service/domain is trustworthy (there's no homepage or source URL listed). (3) Fix the registry metadata mismatch (it should declare TAVILY_API_KEY as a required env var / primary credential). (4) Run the scripts in a sandboxed environment or with least-privilege network rules (restrict egress to the Tavily API) and review request/response logs. If you cannot verify the Tavily endpoint or provenance of the skill, do not supply production credentials — use a throwaway key or decline installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a9yqhqv6k4ehx096pars0cx825eyp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments