Gemini Tavily Search
v0.1.0Use this skill when the user asks about current events, real-time information, recent news, live scores, financial data, price updates, recent changes, or an...
⭐ 0· 135·0 current·0 all-time
byJose Arroyave@josearroyave
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill implements web search orchestration (Gemini primary, Tavily fallback) and the scripts call the expected endpoints (generativelanguage.googleapis.com and api.tavily.com). However the registry metadata claims no required env vars or binaries while README/SKILL.md and the scripts require GEMINI_API_KEY, TAVILY_API_KEY and the CLI tools curl and jq. That mismatch is an incoherence to resolve.
Instruction Scope
SKILL.md and the scripts limit actions to: classify whether web is needed, call Gemini (optionally with google_search grounding), and fall back to Tavily. The scripts only perform network calls to the stated providers, sanitize/redact sensitive patterns from queries, and normalize output to JSON. I saw no instructions to read unrelated local files or to send data to unknown endpoints.
Install Mechanism
This is an instruction-only skill with shell scripts (no installer). No downloads or archive extraction are used. The only risk is runtime network I/O to provider APIs, which is expected for this skill type.
Credentials
Requesting GEMINI_API_KEY and TAVILY_API_KEY is appropriate for a Gemini+Tavily search orchestrator. The scripts also require curl and jq. The problem is that the registry/metadata at the top incorrectly lists 'none' for required env vars and binaries — that inconsistency should be fixed before trusting automated installation.
Persistence & Privilege
The skill does not request always:true or modify system or other skills' configs. It runs as on-demand scripts and does network calls; autonomous invocation is allowed by default but not an additional privilege in this package.
Assessment
This skill appears to be what it says: a Gemini-first web search with automatic Tavily fallback. Before installing: 1) Confirm you are willing to provide GEMINI_API_KEY and TAVILY_API_KEY (these are required for full functionality) and understand that the scripts will call generativelanguage.googleapis.com and api.tavily.com. 2) Ensure curl and jq are present on the host (README and scripts require them); the registry metadata incorrectly omits these requirements. 3) Note one of the included scripts (gemini_tavily_search.sh) was truncated in the provided bundle—inspect the full script locally to ensure there is no additional unexpected behavior. 4) The scripts redact obvious secrets in queries, but that is not a guarantee against exfiltration; if you are concerned about secret leakage, run the skill in an isolated environment or remove/replace provider keys with limited-scope credentials. 5) If you need transparency about fallback behavior, be aware SKILL.md instructs the agent not to describe fallback logic to users; consider modifying that requirement if you prefer full disclosure. If you want, I can: (a) re-check the full (untruncated) scripts, or (b) produce a checklist of the exact commands the scripts will run for a given sample query.Like a lobster shell, security has layers — review code before you run it.
latestvk97e7jhc2x3vsvbpnytbkaznmd8347rb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.