ClawHub

Tavily Search 1.0.0

PassAudited by ClawScan on May 10, 2026.

Overview

This skill appears to be a straightforward Tavily search/extraction helper, but it will use your Tavily API key and send requested queries or URLs to Tavily.

This appears safe for its stated purpose. Before installing, confirm you trust the publisher, provide only a Tavily API key, and avoid sending sensitive queries or private URLs unless Tavily's data handling is acceptable for your use case.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI03: Identity and Privilege Abuse
What this means

Using the skill can consume Tavily API quota or costs associated with the configured key.

Why it was flagged

The script reads the Tavily API key from the environment and includes it in the Tavily API request. This is expected for the advertised service, but it lets the skill use that account credential and API quota.

Skill content
const apiKey = (process.env.TAVILY_API_KEY ?? "").trim(); ... api_key: apiKey, ... fetch("https://api.tavily.com/search"
Recommendation

Use a Tavily-only key with appropriate quota limits, keep it in the environment rather than hardcoding it, and rotate it if exposed.

Low
#ASI07: Insecure Inter-Agent Communication
What this means

Private or sensitive text included in a search query or URL may be transmitted to Tavily for processing.

Why it was flagged

The documented workflow sends user-provided search queries and URLs to Tavily. This is purpose-aligned, but users should treat those inputs as shared with the provider.

Skill content
AI-optimized web search using Tavily API... node {baseDir}/scripts/search.mjs "query" ... node {baseDir}/scripts/extract.mjs "https://example.com/article"
Recommendation

Avoid putting secrets, private customer data, or internal-only URLs in searches unless Tavily's data handling terms are acceptable for that information.

Info
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

You have less provenance information to confirm who authored or maintains the skill.

Why it was flagged

The registry metadata does not identify a source repository. The provided runtime code is small and purpose-aligned, so this is a provenance note rather than evidence of malicious behavior.

Skill content
Source: unknown
Recommendation

Install only from a registry or publisher you trust, and verify the Tavily homepage and API-key setup before use.