Skillv1.0.0

ClawScan security

Market Research Litiao · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 17, 2026, 6:03 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (market research using Tavily) and the single requested environment variable (TAVILY_API_KEY) match, but the runtime instructions assume local Node scripts in a specific ~/.openclaw workspace that are not included or explained — that mismatch warrants caution.
Guidance: This skill appears to legitimately use Tavily for market research and only requests a Tavily API key, which is reasonable. However, the runtime instructions expect you to run node scripts under ~/.openclaw/workspace/skills/tavily-search-litiao that are not included here — ask the publisher what those scripts are or whether you need a companion 'tavily-search' skill. Before installing or providing TAVILY_API_KEY: (1) verify the source/publisher and confirm where the referenced Node scripts come from, (2) inspect any companion scripts for unexpected behavior before running them, (3) consider creating a limited/rotatable Tavily key or testing in a sandbox account, and (4) avoid granting unrelated credentials or running unknown local scripts.

Review Dimensions

Purpose & Capability: noteThe name/description say it uses the Tavily API and the declared requirement is TAVILY_API_KEY — that's coherent. However, the SKILL.md instructs running node scripts in ~/.openclaw/workspace/skills/tavily-search-litiao which are not part of this package; relying on an external, undeclared companion script is surprising and should be justified.
Instruction Scope: noteInstructions are generally scoped to market research tasks and reference only the Tavily key. They do, however, instruct the agent to cd into a specific user-home path and run local Node scripts (node scripts/search.mjs ...). Those filesystem/command instructions reference code that isn't present in this skill and could cause the agent to attempt to execute arbitrary local scripts if those files exist — the SKILL.md should explain the relationship to the referred scripts or include them.
Install Mechanism: okThere is no install spec (instruction-only), which is low-risk in itself. The lack of an install step also explains why the referenced Node scripts are missing from this package — but that missing piece is the main concern, not the install mechanism.
Credentials: okOnly TAVILY_API_KEY is declared as required, and Tavily is explicitly the preferred data source. Requesting that single API key is proportionate to the stated purpose; no unrelated secrets or broad credentials are requested.
Persistence & Privilege: okalways is false and the skill does not request persistent or elevated privileges. Autonomous invocation is permitted (platform default) but not combined with other red flags here.