ClawHub
Back to skill
v1.0.3

Tavily Crypto Finance Search

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:58 AM.

Analysis

This is a straightforward Tavily search/extract wrapper; the main things to notice are its required Tavily API key and third-party search data flow.

GuidanceThis skill appears coherent and purpose-aligned. Install it if you are comfortable providing a Tavily API key and sending your search queries or requested URLs to Tavily. Prefer a dedicated API key and avoid using the skill for confidential or private URLs unless that data sharing is acceptable.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/tavily.py
key = os.environ.get("TAVILY_API_KEY") ... payload["api_key"] = key

The script reads a Tavily API key from the environment and inserts it into Tavily API requests. This is expected for a Tavily integration, but it is still credential use that the user should be aware of.

User impactYou must provide a Tavily API key, and the skill will use that key when making search or extraction requests.
RecommendationUse a dedicated, revocable Tavily API key and avoid sharing keys across unrelated tools. Update registry metadata to declare the required credential.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/tavily.py
SEARCH_URL = "https://api.tavily.com/search" ... EXTRACT_URL = "https://api.tavily.com/extract"

User search queries and extract URLs are sent to Tavily's external provider endpoints. This is core to the skill's purpose, but it is a third-party data flow.

User impactTavily can receive the searches, URLs, and extraction requests you submit through this skill.
RecommendationDo not submit confidential URLs, private documents, or highly sensitive research queries unless you are comfortable sending them to Tavily.