ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tavily Crawl

v1.0.0

Crawl any website and save pages as local markdown files. Ideal for downloading documentation, knowledge bases, or web content for offline access or analysis.

0· 465·1 current·1 all-time
byLiang@matthew77
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match required items: it requires node and a TAVILY_API_KEY, and the script POSTs crawl requests to https://api.tavily.com/crawl. There are no unrelated credentials, binaries, or surprising config paths.
Instruction Scope
SKILL.md and the script are narrowly scoped to crawling: they instruct calling the included Node script which sends the target URL and options to the Tavily API and then prints or writes returned content. The instructions do not request other system files or additional environment variables.
Install Mechanism
No install spec; the skill is instruction-plus-script and relies on the node binary already present. The included script is plain, readable JS — there are no external downloads or archives executed at install time.
Credentials
Only one credential is required (TAVILY_API_KEY), and it directly aligns with the script's Authorization header. No other secrets or unrelated env vars are requested.
Persistence & Privilege
always is false and the skill does not attempt to modify other skills or system-wide settings. It writes files only to a user-specified output directory (when provided).
Assessment
This skill is internally coherent, but note that running it sends the target URL and any natural-language instructions to Tavily's API (https://api.tavily.com/crawl) along with your TAVILY_API_KEY. Only use it with sites you are allowed to crawl and avoid sending private/internal URLs or secrets. Ensure the API key has appropriate scope/rotation policy. When saving output, explicitly set --output to a safe directory and set conservative --limit/--depth values to avoid large or unintended crawls. If you need higher assurance, review the included scripts/crawl.mjs yourself and confirm the Tavily domain and API behavior match your expectations before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a8r32rteckw38pffnmm19e182462t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🕷️ Clawdis
Binsnode
EnvTAVILY_API_KEY
Primary envTAVILY_API_KEY

Comments