Tavily Search Litiao

Security checks across malware telemetry and agentic risk

Overview

This is a purpose-aligned web search skill, but users should remember that searches go through external services.

Install only if you are comfortable sending web search terms and any supplied URLs through AISA/Tavily. Do not use it for secrets, private internal URLs, or proprietary prompts unless that data sharing is approved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documentation exposes a web search and URL extraction capability backed by Tavily, but it does not clearly disclose that user queries, supplied URLs, and potentially fetched page content are transmitted to an external third-party service. In an agent setting, this can lead to unintentional exfiltration of sensitive prompts, internal URLs, or proprietary content because operators may assume the tool works locally unless data-sharing behavior is explicitly documented.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal