Tavily Search 极简版

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Tavily search helper that discloses its API key requirement and external search request.

Install only if you are comfortable sending search queries, domain filters, selected search options, and your Tavily API-authenticated request to Tavily. Avoid putting secrets or sensitive internal terms in search queries, prefer setting TAVILY_API_KEY as an environment variable, and review any README-suggested OpenClaw configuration changes before applying them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The skill sends user-supplied queries and optional result content preferences to a third-party search API, but the code provides no explicit runtime notice or consent mechanism about that external transmission. In an agent context, users may assume searches are local, so sensitive prompts or internal terms could be disclosed to the external provider unintentionally.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal