ClawHub

Tavily Search Skill

v1.0.7

Web search via Tavily API (alternative to Brave). Use when the user asks to search the web / look up sources / find links and Brave web_search is unavailable...

1· 4k·42 current·44 all-time
by黑川眠也@jayegt002
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's name/description (Tavily web search) matches what the scripts do: calling https://api.tavily.com/search and https://api.tavily.com/usage. It legitimately requires a Tavily API key. However, the registry metadata does not declare the API key or any required env var even though SKILL.md and search.sh require TAVILY_API_KEY or an apikey file — this mismatch is a packaging/metadata oversight.
Instruction Scope
SKILL.md instructs the agent/user to git clone the repo, request the user's Tavily API key, store it in a local 'apikey' file (or set TAVILY_API_KEY), and run ./search.sh. Runtime steps and files referenced are limited to the skill directory (apikey, blocklist files, search.sh). The instructions do not request unrelated system files, other credentials, or exfiltration to unexpected endpoints.
Install Mechanism
There is no formal install spec (instruction-only), and SKILL.md tells the user to git clone the GitHub repo. The code bundle also includes the same scripts, which makes the clone instruction redundant/odd but not dangerous. The GitHub URL is a normal source; no downloads from untrusted IPs or extract steps are used.
Credentials
The only credential used is the Tavily API key (TAVILY_API_KEY or apikey file). That is proportional to a web-search integration. The concern is that the registry metadata did not declare the need for this credential; the script also supports reading the same key from an env var or a file, and it sends the key as a Bearer token to api.tavily.com as expected.
Persistence & Privilege
The skill does not request persistent elevated privileges, does not set always:true, and only writes a local 'apikey' file (SKILL.md tells user to create it). It does not modify other skills or global agent configuration.
Assessment
This skill appears to do what it claims: call the Tavily search API and optionally filter results with a local blocklist. Before installing, verify the GitHub repo URL is the intended source and review the repo contents. Be aware the skill asks you to provide your Tavily API key and suggests storing it in a local file named 'apikey' (it sets chmod 600 in instructions). If you prefer, set TAVILY_API_KEY in your environment instead of writing a file. The main oddities are: the registry metadata doesn't list the required API key and SKILL.md asks you to git clone even though the package contains the scripts — these are packaging issues rather than security red flags. Run the script in an isolated environment if you are unsure, and verify it only contacts api.tavily.com (no other remote endpoints are present in the files).

Like a lobster shell, security has layers — review code before you run it.

latestvk974tq4642yw4a82ppn86dzmq1842dtmsecurityvk977cngyhvw7txn6awcrmj3ft584216j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments