WebPage Searchxxx

The skill mostly matches its stated purpose (calling Tavily with your API key) but it imports formatter modules based on data returned from the Tavily API, which lets the remote service cause the skill to load and execute arbitrary code — a risky behavior not documented in the description.

This skill correctly needs only TAVILY_API_KEY and node to call the Tavily API, but search.mjs will import whatever module path the Tavily API returns in data.meta.formatFile. That means a compromised or malicious Tavily response could make your agent load and run arbitrary code. Before installing: 1) only use this with a Tavily endpoint you fully trust; 2) review and if possible patch search.mjs to only import from a safe allowlist of local formatter modules (or disable dynamic imports entirely); 3) fix the apparent directory-name mismatch (code expects './formatters/...' but files are under 'formatter/') so the code cannot default into executing API-provided formatters; and 4) avoid using this skill on agents that have other sensitive credentials or access. If you cannot verify the remote service and do not want remote code execution risk, do not install.