Tavily 搜索
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-tavily-search Version: 0.1.0 The skill provides a legitimate web search functionality using the Tavily API. It securely loads the API key from environment variables or a dedicated OpenClaw `.env` file, and makes a standard POST request to the official Tavily API endpoint. There is no evidence of data exfiltration to unauthorized destinations, malicious execution, persistence mechanisms, or prompt injection attempts in SKILL.md. All operations are aligned with the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use your Tavily API key and quota when it performs searches.
The skill requires a Tavily service credential. This is expected for a Tavily search integration, but the registry metadata says no required env vars and no primary credential.
Provide API key via either: ... `TAVILY_API_KEY`, or ... `~/.openclaw/.env` line: `TAVILY_API_KEY=...`
Use a dedicated Tavily API key, avoid sharing a broadly privileged key, and prefer updating the skill metadata to declare the credential requirement.
Search terms may be visible to Tavily, so sensitive queries could be exposed to that provider.
The script sends the API key and user search query to Tavily's external API. This is disclosed and purpose-aligned for web search.
TAVILY_URL = "https://api.tavily.com/search" ... "api_key": key, "query": query
Avoid putting secrets or private data into search queries, and review Tavily's privacy and retention terms if that matters for your use.