Back to skill
Skillv1.0.0
ClawScan security
Tavily Search 1 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 7, 2026, 1:41 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is internally consistent with its description: it runs Node scripts that call Tavily's official API and only asks for a Tavily API key — no unrelated credentials or system access are requested, though there is a minor metadata mismatch to verify.
- Guidance
- This skill will send any queries and any URLs you pass to Tavily's servers and will include your TAVILY_API_KEY in those requests. Before installing: (1) confirm you trust tavily.com and the published skill source (note the ownerId mismatch in _meta.json vs registry metadata), (2) avoid sending sensitive internal URLs or secrets through the skill, (3) ensure Node (with global fetch support) is available, and (4) treat the API key as sensitive — rotate it if you suspect it was exposed. If provenance is important, ask the publisher to explain the metadata mismatch or provide an official upstream link.
Review Dimensions
- Purpose & Capability
- noteName/description match the implemented behavior: both scripts call https://api.tavily.com endpoints to perform search and extract. Required binary (node) and required env var (TAVILY_API_KEY) are appropriate. Minor issue: _meta.json ownerId differs from the registry Owner ID in the provided metadata, which is a packaging/ provenance inconsistency worth verifying but does not change functionality.
- Instruction Scope
- okSKILL.md and the scripts limit actions to taking CLI args, reading TAVILY_API_KEY, and POSTing queries/URLs to Tavily endpoints. The scripts do not read other files, config paths, or unrelated environment variables, nor do they transmit data to third parties outside tavily.com.
- Install Mechanism
- okNo install mechanism is specified (instruction-only skill with included scripts). That is low risk; the code is executed by the user's node runtime and no archives or remote downloads are performed by the skill itself.
- Credentials
- okOnly a single environment variable (TAVILY_API_KEY) is required and it is used directly in requests to the Tavily API. This is proportionate to a search/extract integration.
- Persistence & Privilege
- okThe skill does not request persistent/always-on inclusion and does not modify other skills or system-wide settings. It runs as invoked and has no elevated platform privileges.