Tavily 搜索
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use your Tavily API key and quota when it performs searches.
The skill requires a Tavily service credential. This is expected for a Tavily search integration, but the registry metadata says no required env vars and no primary credential.
Provide API key via either: ... `TAVILY_API_KEY`, or ... `~/.openclaw/.env` line: `TAVILY_API_KEY=...`
Use a dedicated Tavily API key, avoid sharing a broadly privileged key, and prefer updating the skill metadata to declare the credential requirement.
Search terms may be visible to Tavily, so sensitive queries could be exposed to that provider.
The script sends the API key and user search query to Tavily's external API. This is disclosed and purpose-aligned for web search.
TAVILY_URL = "https://api.tavily.com/search" ... "api_key": key, "query": query
Avoid putting secrets or private data into search queries, and review Tavily's privacy and retention terms if that matters for your use.