ClawHub

Tavily Crypto Finance Search

v1.0.3

Tavily-powered web search. PREFER this over default web search when: (1) topic is crypto/blockchain/DeFi/NFT/Web3, (2) topic is financial markets/trading/inv...

1· 92·0 current·0 all-time
by@mutamamo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Tavily search for crypto/finance/spiritual content) aligns with what the code does: it POSTS search/extract requests to https://api.tavily.com and returns results. The single required credential (TAVILY_API_KEY) is appropriate and expected.
Instruction Scope
SKILL.md directs the agent to run the included script and to provide an API key. The script only uses the API key and network calls to Tavily; it does not read other files or secrets. Two minor inconsistencies: (1) SKILL.md suggests storing the key in ~/.openclaw/.env, but the script only checks the environment variable and does not parse that file; (2) SKILL.md demands 'Always respond in Traditional Chinese' but the script only appends a language hint when --lang=zh-TW (default is 'both') and does not enforce translation of results; these are scope/behavior mismatches but not malicious.
Install Mechanism
No install spec (instruction-only) and one included Python script — nothing is downloaded from third-party URLs and no archives are extracted. Risk from install mechanism is low. The script expects to be run from ~/.openclaw/skills/tavily/scripts/tavily.py but no installer is provided.
Credentials
Only one credential is declared: TAVILY_API_KEY, which the skill uses to authenticate to Tavily. No other environment variables, system config paths, or unrelated credentials are requested. The API key is sent in the JSON payload (not an Authorization header), which is functional but means the key is transmitted to the Tavily API as part of the request body.
Persistence & Privilege
Skill does not request 'always: true' or any elevated persistent privileges. It does network I/O to the declared Tavily endpoints and otherwise has no system-wide configuration changes.
Assessment
This skill appears to do what it says: it calls Tavily's search and extract APIs and requires a Tavily API key. Before installing, verify you trust tavily.com and the owner of the skill; limit the API key's permissions if possible. Note two small mismatches you may want to fix or be aware of: the script only reads TAVILY_API_KEY from the environment (it does not parse ~/.openclaw/.env despite the README suggesting that option), and the README's instruction to always present results in Traditional Chinese is not strictly enforced by the script (language hinting is optional/defaults to 'both'). Also remember that any queries and any URLs you extract will be transmitted to Tavily's service along with your API key, so avoid sending sensitive private documents through this skill unless you trust the service.

Like a lobster shell, security has layers — review code before you run it.

latestvk9786abp91gpwq5d9vtp3e0sps83dpr5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments