Tavily Search Litiao
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: tavily-search-litiao Version: 1.0.0 The skill provides a legitimate interface for the Tavily Search API to perform web searches and content extraction. The scripts search.mjs and extract.mjs correctly handle the TAVILY_API_KEY environment variable and communicate exclusively with the official api.tavily.com endpoint. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can consume quota or perform searches/extractions under your Tavily account.
The skill requires a Tavily provider credential; the scripts use that credential to authenticate API requests.
Needs `TAVILY_API_KEY` from https://tavily.com
Use a dedicated Tavily API key where possible, monitor usage, and rotate or revoke the key if you stop using the skill.
Search terms may be sent to Tavily, so sensitive information included in queries could leave the local environment.
The script sends the user-provided search query and options to Tavily's external API, which is purpose-aligned for web search.
fetch("https://api.tavily.com/search", { ... body: JSON.stringify(body) })Avoid putting secrets or private data in search queries unless you are comfortable sending them to Tavily.
The mismatch does not show malicious behavior, but it weakens confidence in package provenance or naming consistency.
The supplied registry metadata identifies a different owner and slug for this review, so the bundled metadata is inconsistent with the package listing even though the functional code is coherent.
"ownerId": "kn7azq5e6sw0fbwwzdpcwvvjzd7z0x4z", "slug": "tavily-search"
Confirm that this is the intended Tavily skill and publisher before installing, especially if you rely on publisher identity for trust.