Openclaw Tavily Search

This skill is broadly what it claims (a Tavily API search client), but there are a few mismatches you should consider before installing: - Required credential not declared: the package registry metadata does not list any required env vars, yet both SKILL.md and the script require TAVILY_API_KEY. Expect to provide that API key to use the skill. - Hidden config-file fallback: the script will try to read ~/.openclaw/.env to find TAVILY_API_KEY if the env var is not set. If you store the key there, review the file contents and its permissions; the skill reads the file from your home directory. - Network behavior: the script sends your queries and the API key to api.tavily.com. Only proceed if you trust Tavily and are comfortable with the queries being sent to that third party. - Metadata inconsistencies: internal _meta.json values (version/owner) differ from registry metadata, which could indicate sloppy packaging. Recommendations: - If you plan to use it, set TAVILY_API_KEY explicitly as an environment variable rather than relying on the fallback file. - Inspect ~/.openclaw/.env before placing any secrets in it; prefer secure storage with limited file permissions. - Verify you trust the Tavily service (api.tavily.com) and the skill author. If unsure, avoid exposing production or multi-service credentials to this skill. Confidence notes: The code is readable and not obfuscated; the main concerns are metadata/env-var mismatches and the undocumented file read. These suggest sloppy packaging or insufficient declarations rather than clearly malicious behavior.