Tavily Search with Multi-Key

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Tavily web-search helper that uses a Tavily API key and sends search queries to Tavily as expected.

Install only if you are comfortable using a Tavily API key and sending your search terms to Tavily. Avoid searches containing secrets, private customer data, or sensitive personal information, and be aware that multi-key rotation stores a small local index file under ~/.openclaw/.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 77% confidence
Finding: The script sends user-supplied search queries and an API credential to a third-party service without any in-code disclosure, consent prompt, or policy guardrails. In an agent setting, users may reasonably assume local processing, so silent external transmission can create privacy and compliance risk when prompts contain sensitive data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal