OpenClaw Tavily Search (lym)
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward Tavily web-search wrapper, with normal notes about using a Tavily API key, sending queries to Tavily, and a small metadata inconsistency.
This skill is reasonable to install if you want Tavily-backed web search and are comfortable providing a Tavily API key. Avoid sensitive queries, treat returned snippets as untrusted evidence, and note that the package metadata should be cleaned up by the publisher.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use the configured Tavily key to perform web searches through Tavily.
The skill needs a Tavily API key. This is expected for the stated provider integration, but users should notice that the registry metadata lists no required env vars or primary credential.
Provide API key via either: - environment variable: `TAVILY_API_KEY`, or - `~/.openclaw/.env` line: `TAVILY_API_KEY=...`
Use a dedicated Tavily key if possible, keep it out of shared files, and the publisher should declare TAVILY_API_KEY in metadata.
Sensitive search terms may be visible to Tavily as the external search provider.
The script sends the API key and user query to Tavily's documented API endpoint. This is purpose-aligned, but it means search terms leave the local environment.
TAVILY_URL = "https://api.tavily.com/search" ... payload = { "api_key": key, "query": query, ... }Avoid putting secrets or highly sensitive personal/company data in search queries, and review Tavily's data handling policies if needed.
A malicious or misleading web snippet could try to influence the agent if treated as instructions rather than as search evidence.
The skill imports web-derived snippets and summaries into the agent context. This is normal for search, but retrieved web text is untrusted and could contain misleading instructions.
Returns a small set of relevant results (title, url, snippet) and can optionally include short answer summaries.
Treat returned snippets and answers as untrusted source material; verify important claims and do not follow instructions embedded in search results.
It is harder to confirm exactly which publisher/package version this artifact corresponds to.
The packaged metadata differs from the supplied registry metadata for owner, slug, and version. The reviewed code is simple and coherent, but this is a provenance/packaging consistency issue.
"ownerId": "kn78hhhbxwjs4nrcyn8my5fcw981wmys", "slug": "openclaw-tavily-search", "version": "0.1.0"
The publisher should align packaged metadata with the registry entry and provide a source or homepage link.