Back to skill

Security audit

OpenClaw Tavily Search (lym)

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Tavily web-search skill that uses an AISA API key and a Python client, with no evidence of hidden persistence, credential scraping, or destructive behavior.

Install this only if you are comfortable providing an AISA_API_KEY and sending search queries to AISA/Tavily. Do not include secrets, private customer data, or confidential project details in searches unless your organization allows that provider relationship.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill invokes a Python script that reads an API key from environment variables or a local .env file and makes outbound web requests, so it clearly uses env, file-read, and network capabilities despite not declaring permissions. Undeclared capabilities weaken policy enforcement and user awareness, increasing the chance that sensitive data is accessed or transmitted without appropriate review.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description tells users to use Tavily for web search but does not clearly disclose that their query content will be sent to a third-party service. This can expose sensitive prompts, internal project names, credentials pasted into queries, or other confidential data to an external provider without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.