Unified Web Search (Iyeque)
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its web/local search purpose, but it runs an undeclared neighboring Tavily script and gives it the process environment, so it needs review before use.
Review the separate tavily-search helper before using Tavily mode, and consider running the skill with a minimal environment that contains only TAVILY_API_KEY. Be aware that local searches can show filenames and paths from your OpenClaw workspace memory and skills directories.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the Tavily source may execute code from another local skill or file that was not part of this review.
The skill runs a sibling Tavily script that is not included in the provided manifest and is not declared by an install spec, creating an unreviewed dependency/provenance gap.
const scriptPath = path.join(__dirname, '../tavily-search/scripts/search.mjs'); ... const output = execSync(cmd, {Install only if you trust and have reviewed the separate tavily-search helper at that exact path, or update the skill to call Tavily directly or declare a reviewed dependency.
Other API keys or credentials present in the agent environment could become accessible to the helper process.
The child process receives the full environment, not only the required Tavily API key. Combined with the undeclared external helper, this can expose unrelated environment secrets to code outside this package.
env: { ...process.env, TAVILY_API_KEY: apiKey }Run this skill in a minimal environment containing only the variables it needs, and prefer passing only TAVILY_API_KEY to any child process.
Search results may reveal local workspace filenames or paths from memory/skill areas to the agent context.
The local search feature reads filenames from persistent OpenClaw workspace memory and skills directories and returns matching absolute paths.
const allowedSubdirs = ['memory', 'skills']; ... fs.readdirSync(searchPath, { withFileTypes: true });Use the local source only when you are comfortable exposing matching workspace filenames and paths in search output.