ClawHub

Tavily Search Litiao

PassAudited by ClawScan on May 10, 2026.

Overview

This skill appears to do what it claims: it runs small Node scripts that send searches or selected URLs to Tavily using your Tavily API key.

This looks like a normal Tavily search/extraction helper. Before installing, verify the publisher/package identity because the bundled metadata does not exactly match the registry listing, and use a dedicated Tavily API key if possible. Do not include private secrets in search queries or URLs unless you are comfortable sending them to Tavily.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note
ASI03: Identity and Privilege Abuse
What this means

Running the skill can consume quota or perform searches/extractions under your Tavily account.

Why it was flagged

The skill requires a Tavily provider credential; the scripts use that credential to authenticate API requests.

Skill content
Needs `TAVILY_API_KEY` from https://tavily.com
Recommendation

Use a dedicated Tavily API key where possible, monitor usage, and rotate or revoke the key if you stop using the skill.

Note
ASI02: Tool Misuse and Exploitation
What this means

Search terms may be sent to Tavily, so sensitive information included in queries could leave the local environment.

Why it was flagged

The script sends the user-provided search query and options to Tavily's external API, which is purpose-aligned for web search.

Skill content
fetch("https://api.tavily.com/search", { ... body: JSON.stringify(body) })
Recommendation

Avoid putting secrets or private data in search queries unless you are comfortable sending them to Tavily.

Note
ASI04: Agentic Supply Chain Vulnerabilities
What this means

The mismatch does not show malicious behavior, but it weakens confidence in package provenance or naming consistency.

Why it was flagged

The supplied registry metadata identifies a different owner and slug for this review, so the bundled metadata is inconsistent with the package listing even though the functional code is coherent.

Skill content
"ownerId": "kn7azq5e6sw0fbwwzdpcwvvjzd7z0x4z", "slug": "tavily-search"
Recommendation

Confirm that this is the intended Tavily skill and publisher before installing, especially if you rely on publisher identity for trust.