ClawHub

Tavily Crawl

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Tavily website crawler that uses a Tavily API key and can optionally save crawled pages locally.

Use this only for sites you are authorized to crawl. Avoid internal, authenticated, confidential, or regulated content unless your organization permits sending it to Tavily. Use conservative crawl limits, a dedicated output directory, and a revocable Tavily API key; treat crawled content as untrusted before feeding it to an agent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Low
Confidence
89% confidence
Finding
The skill explicitly supports saving crawled website content to a user-specified local directory, but the description does not clearly warn users that running it may write many files to disk. This is dangerous because users may invoke it in sensitive working directories or agentic environments without realizing it performs filesystem writes, which can cause accidental data sprawl, overwrite risk, or unexpected persistence of downloaded content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documentation explains authentication and usage with the Tavily API but does not clearly warn that crawl targets, instructions, and retrieved web content are transmitted to a third-party service. This creates a real privacy and data-governance risk because users may send internal URLs, confidential targets, or sensitive query context to an external provider without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal