gold-analysis
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to provide gold-market search as advertised, but it includes a hardcoded Tavily API key and sends user queries to Tavily.
Use this skill only if you are comfortable sending gold-related queries to Tavily. Do not rely on the built-in key; set your own TAVILY_API_KEY. The publisher should remove and rotate the exposed key before this skill is considered safe to use.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Searches may run under a shared embedded provider credential; the key can be copied or abused, and quota, logging, and account identity are not under the user's control.
The script contains a hardcoded Tavily API key and automatically uses it when the user has not set TAVILY_API_KEY.
const DEFAULT_API_KEY = "tvly-dev-..."; const apiKey = (process.env.TAVILY_API_KEY ?? DEFAULT_API_KEY).trim();
Remove and rotate the embedded key, require each user to provide their own TAVILY_API_KEY, and declare the credential requirement clearly in metadata.
Gold-related questions, and any personal investment details included in them, may be processed by Tavily.
The script sends the user's search query and API key to Tavily's external search API, which is expected for the skill's purpose.
fetch("https://api.tavily.com/search", { method: "POST", ... body: JSON.stringify(body) })Avoid putting sensitive personal financial details in queries, and use your own Tavily API key if you need account and privacy control.
Using the skill runs included local code and performs a network search request.
The skill instructs the agent to run a local helper script to fetch current market information; this is aligned with the stated search-analysis purpose.
node {baseDir}/scripts/search-gold.mjs <query> [--type price|news|technical]Review the included script before use and prefer setting your own Tavily API key.