Tavily Search Pro Native Node
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: tavily-search-pro-native-node Version: 1.0.4 The skill is a well-documented and transparently implemented Node.js toolkit for the Tavily API. It uses native Node.js modules with zero external dependencies, limits network communication strictly to 'api.tavily.com', and restricts filesystem activity to a dedicated cache directory under the user's home folder. The code in 'scripts/tavily-pro.mjs' is clean, lacks obfuscation, and strictly follows the functionality described in 'SKILL.md' without any signs of malicious intent or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search terms and URLs requested through this skill are sent to Tavily, so sensitive research topics should not be used casually.
The skill sends user queries and extraction URLs to an external provider. That is central to a Tavily search/extract tool and is disclosed, but users should understand the privacy boundary.
Makes network calls only to Tavily's HTTPS endpoints: `https://api.tavily.com/search` and `https://api.tavily.com/extract` ... Do NOT use this when: Privacy-sensitive queries (everything transmits to api.tavily.com)
Use it only for research you are comfortable sending to Tavily, and prefer local or built-in fetch tools for privacy-sensitive one-off page reads.
The skill can consume Tavily account credits and depends on a valid API key being present in the process environment.
The script reads a Tavily API key from the environment and sends it to Tavily as an authorization credential. This is expected for the service, but it is still sensitive credential use.
const value = (process.env.TAVILY_API_KEY || "").trim(); ... Authorization: `Bearer ${apiKey}`Set TAVILY_API_KEY only in environments where you intend to use this skill, monitor Tavily usage, and the publisher should declare the required credential in registry metadata.
Someone with access to the local machine could review cached results or usage logs that reveal past searches and extracted URLs.
The skill persistently stores usage logs and cached responses locally. This is disclosed and scoped to the skill cache directory, but those records may reveal queries, URLs, or retrieved content.
Writes cache and usage logs only under `~/.openclaw/cache/tavily-search-pro-native-node/` ... Usage logs may contain plaintext search queries/URLs; use `--no-log` for sensitive calls.
Use --no-log and/or --no-cache for sensitive calls, run `cache clear` when appropriate, and avoid using this skill for private queries.