Tavily Search Litiao
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can consume quota or perform searches/extractions under your Tavily account.
The skill requires a Tavily provider credential; the scripts use that credential to authenticate API requests.
Needs `TAVILY_API_KEY` from https://tavily.com
Use a dedicated Tavily API key where possible, monitor usage, and rotate or revoke the key if you stop using the skill.
Search terms may be sent to Tavily, so sensitive information included in queries could leave the local environment.
The script sends the user-provided search query and options to Tavily's external API, which is purpose-aligned for web search.
fetch("https://api.tavily.com/search", { ... body: JSON.stringify(body) })Avoid putting secrets or private data in search queries unless you are comfortable sending them to Tavily.
The mismatch does not show malicious behavior, but it weakens confidence in package provenance or naming consistency.
The supplied registry metadata identifies a different owner and slug for this review, so the bundled metadata is inconsistent with the package listing even though the functional code is coherent.
"ownerId": "kn7azq5e6sw0fbwwzdpcwvvjzd7z0x4z", "slug": "tavily-search"
Confirm that this is the intended Tavily skill and publisher before installing, especially if you rely on publisher identity for trust.