Tavily Search Pro Native Node
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a disclosed Tavily search/extract helper; the main things to notice are Tavily API-key use and local logging/caching of searches and URLs.
This skill is reasonable for Tavily-backed research if you are comfortable sending queries and URLs to Tavily and storing local cache/log files. Before installing, provide TAVILY_API_KEY only where needed, avoid privacy-sensitive searches, and use --no-log, --no-cache, or cache clear for sensitive sessions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search terms and URLs requested through this skill are sent to Tavily, so sensitive research topics should not be used casually.
The skill sends user queries and extraction URLs to an external provider. That is central to a Tavily search/extract tool and is disclosed, but users should understand the privacy boundary.
Makes network calls only to Tavily's HTTPS endpoints: `https://api.tavily.com/search` and `https://api.tavily.com/extract` ... Do NOT use this when: Privacy-sensitive queries (everything transmits to api.tavily.com)
Use it only for research you are comfortable sending to Tavily, and prefer local or built-in fetch tools for privacy-sensitive one-off page reads.
The skill can consume Tavily account credits and depends on a valid API key being present in the process environment.
The script reads a Tavily API key from the environment and sends it to Tavily as an authorization credential. This is expected for the service, but it is still sensitive credential use.
const value = (process.env.TAVILY_API_KEY || "").trim(); ... Authorization: `Bearer ${apiKey}`Set TAVILY_API_KEY only in environments where you intend to use this skill, monitor Tavily usage, and the publisher should declare the required credential in registry metadata.
Someone with access to the local machine could review cached results or usage logs that reveal past searches and extracted URLs.
The skill persistently stores usage logs and cached responses locally. This is disclosed and scoped to the skill cache directory, but those records may reveal queries, URLs, or retrieved content.
Writes cache and usage logs only under `~/.openclaw/cache/tavily-search-pro-native-node/` ... Usage logs may contain plaintext search queries/URLs; use `--no-log` for sensitive calls.
Use --no-log and/or --no-cache for sensitive calls, run `cache clear` when appropriate, and avoid using this skill for private queries.