Context-Inappropriate Capability
Medium
- Confidence
- 95% confidence
- Finding
- The skill explicitly instructs reading `TAVILY_API_KEY` from the user's local `~/.openclaw/.env` file, which accesses local secrets unrelated to the user's direct research query. Even though the key is then used for a search API, pulling credentials from local storage without clear consent expands the skill's privileges and creates unnecessary secret-handling risk.
