Tavily Search Skill
Security checks across malware telemetry and agentic risk
Overview
The skill coherently performs Tavily web searches, but users should notice that it needs a Tavily API key and user-directed setup from an unpinned GitHub repository.
Before installing, be comfortable giving this skill a Tavily API key and sending your search queries to Tavily. If you install from GitHub, consider using a pinned/reviewed version, and keep the local apikey file protected.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the provided Tavily account key to perform searches and check usage quota.
The skill asks for a Tavily API key and stores it in a local file. This is expected for a Tavily integration, but users should understand that the key authorizes API usage and quota consumption.
Ask the user: "请提供你的 Tavily API Key..." ... echo "USER_PROVIDED_API_KEY" > apikey chmod 600 apikey
Use a Tavily key intended for this purpose, keep the apikey file private, and revoke or rotate the key if it is no longer needed.
Installing from the repository may retrieve code that differs from the reviewed artifact if the upstream repo changes.
The installation instructions pull code from a live GitHub repository without a pinned commit or release. This is a common user-directed setup pattern, but it means future repository changes could affect what is installed.
git clone https://github.com/JayeGT002/Tavily-Search-Skill.git tavily-search-skill
Prefer installing a reviewed release or pinned commit, and compare the cloned files with the reviewed files if you need stronger provenance.