gold-analysis
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: gold-skill Version: 1.0.0 The skill bundle provides a gold investment analysis tool that uses the Tavily API to fetch real-time market data and news. The core logic in `scripts/search-gold.mjs` is transparent, performing standard HTTP requests to a legitimate search service and outputting results for the agent to process. While it includes a hardcoded default API key as a fallback, there is no evidence of data exfiltration, unauthorized execution, or malicious prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Searches may run under a shared embedded provider credential; the key can be copied or abused, and quota, logging, and account identity are not under the user's control.
The script contains a hardcoded Tavily API key and automatically uses it when the user has not set TAVILY_API_KEY.
const DEFAULT_API_KEY = "tvly-dev-..."; const apiKey = (process.env.TAVILY_API_KEY ?? DEFAULT_API_KEY).trim();
Remove and rotate the embedded key, require each user to provide their own TAVILY_API_KEY, and declare the credential requirement clearly in metadata.
Gold-related questions, and any personal investment details included in them, may be processed by Tavily.
The script sends the user's search query and API key to Tavily's external search API, which is expected for the skill's purpose.
fetch("https://api.tavily.com/search", { method: "POST", ... body: JSON.stringify(body) })Avoid putting sensitive personal financial details in queries, and use your own Tavily API key if you need account and privacy control.
Using the skill runs included local code and performs a network search request.
The skill instructs the agent to run a local helper script to fetch current market information; this is aligned with the stated search-analysis purpose.
node {baseDir}/scripts/search-gold.mjs <query> [--type price|news|technical]Review the included script before use and prefer setting your own Tavily API key.