Tavily Plus
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: tavily-plus Version: 1.0.0 The tavily-plus skill provides an enhanced search interface for the Tavily API, featuring automated query decomposition, API key rotation, and local report generation. The implementation in `scripts/smart-search.js` aligns with the documentation in `SKILL.md`, using standard Node.js modules to perform web requests and write markdown files to a local workspace directory. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Searches may consume the user's Tavily quota and are authorized with the configured Tavily key.
The code uses Tavily API keys from environment variables as bearer credentials for provider requests. This is expected for the stated search integration but means the skill operates under the user's Tavily account.
if (process.env.TAVILY_API_KEY) keys.push(process.env.TAVILY_API_KEY); ... "Authorization": `Bearer ${apiKey}`Use only intended Tavily API keys, rotate or revoke them if needed, and avoid providing broader credentials than necessary.
Search terms and generated sub-queries leave the local environment and go to Tavily by default, or to the configured base URL if changed.
User queries and generated sub-queries are sent to an external provider endpoint. This is purpose-aligned for web search, but a custom TAVILY_BASE_URL changes the destination for query data and authorization headers.
const BASE_URL = process.env.TAVILY_BASE_URL || "https://api.tavily.com"; ... fetch(`${BASE_URL}/search`, { method: "POST", ... body: JSON.stringify(body) })Do not include secrets in search queries, and leave TAVILY_BASE_URL unset unless the alternate endpoint is trusted.
Local report files may contain the user's query, search results, and generated summary.
The skill can write a local report file when the user enables export_doc. The behavior is disclosed and scoped to a predictable OpenClaw reports directory.
When `export_doc: true`: ... Save to `~/.openclaw/workspace/reports/tavily-plus-{timestamp}.md`Enable export_doc only when a saved report is desired, and delete report files if they contain sensitive research topics.