Back to skill

Security audit

Tavily Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Tavily web-search skill that sends user-provided search requests to Tavily using the user's API key.

Install only if you are comfortable sending search queries and selected options to Tavily. Keep the Tavily API key private, avoid searching for secrets or sensitive internal information, and use domain filters or avoid raw-content mode when you need tighter control over retrieved data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill sends user-provided search queries to Tavily's external API and can optionally request raw/full page content, but the documentation does not clearly disclose this third-party data transfer. This creates a real privacy and data-handling risk because users may submit sensitive prompts, internal URLs, or proprietary research terms without realizing that data leaves their environment and may be processed by an outside service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.