Tavily Plus
PassAudited by ClawScan on May 10, 2026.
Overview
Tavily Plus appears to be a normal Tavily search integration, with expected use of Tavily API keys, external search requests, and optional local report files.
Install only if you are comfortable providing a Tavily API key and sending search queries to Tavily. Keep TAVILY_BASE_URL unset unless you trust the endpoint, avoid searching for secrets, and use export_doc only for reports you are willing to store locally.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Searches may consume the user's Tavily quota and are authorized with the configured Tavily key.
The code uses Tavily API keys from environment variables as bearer credentials for provider requests. This is expected for the stated search integration but means the skill operates under the user's Tavily account.
if (process.env.TAVILY_API_KEY) keys.push(process.env.TAVILY_API_KEY); ... "Authorization": `Bearer ${apiKey}`Use only intended Tavily API keys, rotate or revoke them if needed, and avoid providing broader credentials than necessary.
Search terms and generated sub-queries leave the local environment and go to Tavily by default, or to the configured base URL if changed.
User queries and generated sub-queries are sent to an external provider endpoint. This is purpose-aligned for web search, but a custom TAVILY_BASE_URL changes the destination for query data and authorization headers.
const BASE_URL = process.env.TAVILY_BASE_URL || "https://api.tavily.com"; ... fetch(`${BASE_URL}/search`, { method: "POST", ... body: JSON.stringify(body) })Do not include secrets in search queries, and leave TAVILY_BASE_URL unset unless the alternate endpoint is trusted.
Local report files may contain the user's query, search results, and generated summary.
The skill can write a local report file when the user enables export_doc. The behavior is disclosed and scoped to a predictable OpenClaw reports directory.
When `export_doc: true`: ... Save to `~/.openclaw/workspace/reports/tavily-plus-{timestamp}.md`Enable export_doc only when a saved report is desired, and delete report files if they contain sensitive research topics.