联网搜索一键配置 · Tavily One-Step
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: tavily-one-step-search Version: 1.0.3 The skill provides a legitimate interface for the Tavily Search API, enabling web search, content extraction, and site crawling. The implementation in `scripts/tavily_search.mjs` is a clean Node.js script that communicates exclusively with `api.tavily.com` and handles API keys via standard environment variables or a local configuration file (`~/.openclaw/.env`). The documentation and agent instructions are well-structured, focusing on guided setup and functional usage without any evidence of malicious intent, data exfiltration, or harmful prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Tavily API key is used to authenticate searches, extracts, crawls, and maps through Tavily.
The code loads a Tavily API key and uses it for Tavily API authorization. This is expected for the service, but it is still credential handling users should be aware of.
if (process.env.TAVILY_API_KEY?.trim()) return process.env.TAVILY_API_KEY.trim(); ... "Authorization": `Bearer ${key}`Set the key manually in a local .env file, avoid pasting secrets into chat unless necessary, and rotate the key if it is exposed.
If you install from GitHub, you may get whatever code is current in that repository at install time.
The manual install path pulls the latest GitHub repository contents without a pinned commit or release. This is user-directed and common for setup docs, but it means the installed code may differ from the reviewed artifacts.
git clone https://github.com/plabzzxx/openclaw-tavily-search tavily-search
Prefer a reviewed registry install when available, or verify the GitHub repository and pin a specific commit or release before installing.
Future web-search requests may be routed to Tavily more often, which means those queries may be sent to Tavily.
The setup prompt asks the agent to store a lasting preference that affects future search behavior. It is disclosed and scoped to web lookup tasks, but persistent tool preferences can influence later sessions.
Add a memory preference: - When web_search (Brave) is unavailable, use tavily-search skill first. - For general web lookup tasks, try tavily-search before giving up.
Only add this memory preference if you want that behavior, and remove or edit it later if you do not want Tavily used by default.
Network requests may not follow the documented proxy behavior, which could affect connectivity or routing expectations.
SKILL.md documents --proxy and --no-proxy controls, but the reviewed request code does not pass a proxy agent/dispatcher or otherwise use those parsed flags. Users should not rely on those proxy controls without testing.
const res = await fetch(`${API_BASE}/${endpoint}`, {
method: "POST",
headers: {Verify proxy behavior before relying on it, and ask the maintainer to either implement the proxy flags or remove the unsupported documentation.