Tavily Web Search
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use your Tavily API key, which may incur Tavily usage and associate searches with your Tavily account.
This shows the skill reads and uses a local Tavily credential. That is expected for a Tavily integration, but users should notice it because the registry metadata lists no primary credential or required env var.
The script looks for the Tavily API key in: 1. `workspace/secrets/tavily_api_key` ... 3. `TAVILY_API_KEY` environment variable
Use a dedicated Tavily key, store it only in the intended secret path or environment variable, and rotate or revoke it if you no longer use the skill.
Search queries, including any sensitive terms you include, are sent to Tavily along with the API key needed to perform the search.
The script sends the search query and Tavily API key to Tavily's external API. This is disclosed and purpose-aligned for web search, but it is still a third-party data boundary.
payload = { "api_key": api_key, "query": query, ... }; requests.post("https://api.tavily.com/search", json=payload, timeout=30)Avoid putting secrets or highly sensitive private information into search queries, and review Tavily's data handling and billing expectations before use.