My Liang Tavily Search
Analysis
The skill matches its stated Tavily web-search purpose, with expected API key use and third-party query sharing, but its package metadata should be verified.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
"ownerId": "kn724ben7jjrcy3pebw2jbak3s8201cp", "slug": "my-liang-tavily-search", "version": "1.0.1"
The supplied registry metadata lists a different owner ID and version, so the package identity metadata is inconsistent even though the runtime code is coherent.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
const apiKey = (process.env.TAVILY_API_KEY ?? "").trim(); ... "Authorization": `Bearer ${apiKey}`The script requires a Tavily API key and sends it to Tavily as a bearer token; this is expected for the stated service, but it is still credential use.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
const body = { query: query, ... }; ... await fetch("https://api.tavily.com/search", { method: "POST", ... body: JSON.stringify(body) })Search queries and options are sent to the external Tavily API; this is disclosed and purpose-aligned, but creates a third-party data boundary.