联网搜索一键配置 · Tavily One-Step
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a purpose-aligned Tavily web search helper, but users should notice the API key handling, persistent search preference, unpinned GitHub install instructions, and proxy-control documentation mismatch.
This skill looks reasonable for Tavily-powered web search. Before installing, confirm you trust the Tavily service and the GitHub source if using the README install flow, set the API key locally rather than sharing it in chat, and do not rely on the documented proxy flags unless you have tested them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Tavily API key is used to authenticate searches, extracts, crawls, and maps through Tavily.
The code loads a Tavily API key and uses it for Tavily API authorization. This is expected for the service, but it is still credential handling users should be aware of.
if (process.env.TAVILY_API_KEY?.trim()) return process.env.TAVILY_API_KEY.trim(); ... "Authorization": `Bearer ${key}`Set the key manually in a local .env file, avoid pasting secrets into chat unless necessary, and rotate the key if it is exposed.
If you install from GitHub, you may get whatever code is current in that repository at install time.
The manual install path pulls the latest GitHub repository contents without a pinned commit or release. This is user-directed and common for setup docs, but it means the installed code may differ from the reviewed artifacts.
git clone https://github.com/plabzzxx/openclaw-tavily-search tavily-search
Prefer a reviewed registry install when available, or verify the GitHub repository and pin a specific commit or release before installing.
Future web-search requests may be routed to Tavily more often, which means those queries may be sent to Tavily.
The setup prompt asks the agent to store a lasting preference that affects future search behavior. It is disclosed and scoped to web lookup tasks, but persistent tool preferences can influence later sessions.
Add a memory preference: - When web_search (Brave) is unavailable, use tavily-search skill first. - For general web lookup tasks, try tavily-search before giving up.
Only add this memory preference if you want that behavior, and remove or edit it later if you do not want Tavily used by default.
Network requests may not follow the documented proxy behavior, which could affect connectivity or routing expectations.
SKILL.md documents --proxy and --no-proxy controls, but the reviewed request code does not pass a proxy agent/dispatcher or otherwise use those parsed flags. Users should not rely on those proxy controls without testing.
const res = await fetch(`${API_BASE}/${endpoint}`, {
method: "POST",
headers: {Verify proxy behavior before relying on it, and ask the maintainer to either implement the proxy flags or remove the unsupported documentation.