Security audit

Tavily Metered Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Tavily web-search helper that uses a Tavily API key, sends searches to Tavily, and keeps a local quota counter.

Install only if you are comfortable giving the skill access to your Tavily API key, sending search queries to Tavily, and allowing it to maintain a local monthly usage counter in the skill directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 97% confidence
Finding: The skill documentation declares only an environment requirement but does not explicitly declare the broader capabilities it uses: network access to Tavily, file reads for config/state, and file writes for usage tracking. This creates a permission-transparency gap where operators may approve or run the skill without understanding that it persists data locally and accesses external services, which weakens auditability and informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.