Tavily Extract

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Tavily reference skill, but users should remember that Tavily API examples send queries, URLs, and fetched web content to an external service.

Reasonable to install as a Tavily integration guide. Before using the examples, keep the Tavily API key in environment variables or a secret manager, review any pip/npm packages you install, and avoid sending private URLs, internal pages, secrets, personal data, or regulated content to Tavily unless your organization has approved that data flow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill sends user-supplied URLs and extracted web content to Tavily's external service, but the description and authentication/setup guidance do not warn users about this third-party data transfer. This can lead users to submit internal, private, or sensitive URLs/content under the mistaken assumption processing is local, creating avoidable confidentiality and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal