ClawHub

Tavily Research

Security checks across malware telemetry and agentic risk

Overview

This appears to be a straightforward Tavily web-research helper that sends user-chosen queries to Tavily and can optionally save a report.

Install only if you are comfortable sending research queries to Tavily. Do not include secrets, private customer data, or sensitive internal material in queries unless Tavily's handling is acceptable to you, keep the API key protected, and choose --output filenames carefully.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description is very broad and generic, which can cause an agent to invoke it for a wide range of loosely related prompts without clear scope limits. In an agentic environment, over-broad routing increases the chance of unnecessary external web queries, accidental disclosure of sensitive user/task context to a third-party API, and incorrect tool selection over safer or more specialized skills.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends the user's research query and receives synthesized results from a third-party service without any explicit warning, consent prompt, or data-handling notice. In a research skill, users may paste proprietary, personal, or otherwise sensitive text into the query field, so silent transmission to an external API creates a real privacy and compliance risk even if it is functionally expected.

External Transmission

Medium
Category
Data Exfiltration
Content
body.max_results = 10;
}

const resp = await fetch("https://api.tavily.com/search", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
Confidence
89% confidence
Finding
fetch("https://api.tavily.com/search", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
body.max_results = 10;
}

const resp = await fetch("https://api.tavily.com/search", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
Confidence
89% confidence
Finding
https://api.tavily.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal