ClawHub

Tavily Search

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a straightforward Tavily web-search wrapper; the main considerations are that it uses your Tavily API key, sends search queries to Tavily, and returns untrusted web content.

This skill is reasonable to install if you are comfortable using Tavily for web search. Protect the TAVILY_API_KEY, avoid searching for secrets or sensitive private data, and treat returned snippets or raw page content as untrusted web material.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Search queries may be visible to Tavily and may affect Tavily account usage or billing.

Why it was flagged

The script sends the user or agent's search query and options to Tavily's external API. This is disclosed and purpose-aligned, but users should know their queries leave the local environment.

Skill content
const resp = await fetch("https://api.tavily.com/search", { ... body: JSON.stringify(body) });
Recommendation

Avoid putting secrets or highly private information in search queries, and review Tavily's privacy and billing terms before use.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Anyone able to run the skill with this environment variable can use the associated Tavily account quota or permissions.

Why it was flagged

The skill reads the Tavily API key from the environment and uses it as a Bearer token for Tavily requests. The artifacts do not show logging or unrelated use of the key.

Skill content
const apiKey = (process.env.TAVILY_API_KEY ?? "").trim(); ... "Authorization": `Bearer ${apiKey}`
Recommendation

Store the API key securely, use only the key needed for Tavily search, and rotate it if it is exposed.

#
ASI01: Agent Goal Hijack
Low
What this means

A malicious or low-quality search result could include misleading instructions or claims that the agent might over-trust.

Why it was flagged

The skill can return web page content into the agent context. Web pages and snippets are untrusted and could contain text that attempts to influence the agent.

Skill content
`--raw-content` | Include full page content
Recommendation

Treat search results and raw page content as data to summarize or cite, not as instructions to execute or policies to obey.