ClawHub
Back to skill
v0.1.0

Tavily Search

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:41 AM.

Analysis

This appears to be a straightforward Tavily web-search integration, but it will send searches and URLs to Tavily using your Tavily API key.

GuidanceThis skill is coherent and purpose-aligned. Before installing, make sure you are comfortable with Tavily receiving your searches, URLs, crawl instructions, and research prompts, and use a Tavily API key you can monitor and revoke.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack
SeverityLowConfidenceHighStatusNote
SKILL.md
**When this plugin is active, use `tavily_search` instead of the built-in `web_search` for all web searches.**

The skill intentionally changes the agent's default web-search provider. This is clearly disclosed and aligned with the skill's purpose, but users should notice the broad provider preference.

User impactMost web searches performed through this skill may go to Tavily instead of the built-in search provider.
RecommendationInstall only if you are comfortable using Tavily as the default search provider, or adjust/disable the skill when you prefer another provider.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/search.mjs
const apiKey = (process.env.TAVILY_API_KEY ?? "").trim(); ... Authorization: `Bearer ${apiKey}`,

The script reads the Tavily API key from the environment and uses it as the Tavily authorization token, which is expected for this API integration.

User impactThe agent can use your Tavily account quota or billing allowance when it performs searches, extraction, crawling, mapping, or research.
RecommendationUse a Tavily API key intended for this integration, monitor usage, and revoke or rotate the key if you stop using the skill.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/search.mjs
const body = {
  query,
  search_depth: searchDepth,
  topic,
  max_results: Math.max(1, Math.min(n, 20)),
  include_answer: true,
  include_raw_content: false,
}; ... fetch("https://api.tavily.com/search"

User search queries are packaged into a request body and sent to Tavily's external API. Other included scripts similarly send URLs, crawl parameters, or research prompts to Tavily.

User impactSearch terms, target URLs, and research prompts may leave your environment and be processed by Tavily.
RecommendationAvoid submitting confidential queries or private URLs unless you trust Tavily's handling of that data.