Back to skill

Security audit

Tavily Search Skill

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Tavily web-search skill with disclosed API-key setup and local filtering, though users should treat queries and the Tavily key as sensitive.

Install this only if you are comfortable sending search queries to Tavily and using a Tavily API key for quota-bearing requests. Prefer the TAVILY_API_KEY environment variable or another secret manager over a plaintext apikey file when possible, and use a reviewed or pinned source if installing from GitHub.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documents behaviors that require file read, network access, and shell execution, but it does not declare those capabilities or permissions anywhere in the manifest. That mismatch can mislead users and hosting agents about what the skill will do, reducing informed consent and making review and sandboxing harder.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The script performs an additional call to the Tavily usage endpoint and returns account plan and quota details even though the skill is described as a web-search tool. This expands data collection beyond the minimum needed for the feature and can leak operational/account metadata to downstream consumers without clear justification.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the user to provide a Tavily API key and stores it in a local plaintext file without clearly warning that the credential is sensitive or discussing storage risks. Even with chmod 600, plaintext local storage can expose the key through backups, logs, accidental disclosure, or other local processes running as the same user.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
User search queries are sent to a third-party API and the script also fetches account data, but the script itself provides no notice or consent mechanism about this external transmission. In an agent-skill context, queries may contain sensitive user content, making undisclosed transmission a meaningful privacy risk.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.