ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tavily Research

v1.0.0

Comprehensive research grounded in web data with explicit citations. Use when you need multi-source synthesis—comparisons, current events, market analysis, d...

1· 500·2 current·2 all-time
byLiang@matthew77
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (web research with citations) align with required items: Node runtime and a single TAVILY_API_KEY. The script sends queries to api.tavily.com and returns results, which is consistent with the stated functionality.
Instruction Scope
SKILL.md and the included script limit actions to: reading TAVILY_API_KEY, POSTing a JSON query to https://api.tavily.com/search, formatting the returned JSON into a report, and optionally writing the report to a file. There are no instructions to read other environment variables, scan local files, or transmit data to third-party endpoints.
Install Mechanism
No install spec is provided (instruction-only plus an included script). The only runtime requirement is the node binary, which is reasonable for a JS script. Nothing is downloaded from untrusted URLs or written to unusual locations.
Credentials
Only one credential is required (TAVILY_API_KEY) and it is the primary credential. That matches the need to authenticate to Tavily's API; there are no unrelated secrets or broad environment access requested.
Persistence & Privilege
always is false and the skill does not request persistent system-wide changes or modify other skills. It does not store credentials itself; it expects the user to provide the API key via env or config.
Assessment
This skill appears to do exactly what it says: it sends your query to Tavily's API and formats the response. Before installing, confirm you trust tavily.com and are comfortable providing your Tavily API key to the agent (the key is used to authenticate requests to api.tavily.com). If you have sensitive queries, avoid using --output to save them to disk in shared locations. If you need stricter controls, consider creating a limited-scope API key (if Tavily supports that) or reviewing network policies so the skill can only contact api.tavily.com.

Like a lobster shell, security has layers — review code before you run it.

latestvk97052yxjy6w7sk3kpafana2ys8259w3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Binsnode
EnvTAVILY_API_KEY
Primary envTAVILY_API_KEY

Comments