Back to skill

Security audit

Tavily Search

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it sends searches or URLs to Tavily's API and prints the returned results.

Install only if you are comfortable sending your search queries, provided URLs, and Tavily API key to Tavily. Avoid putting secrets or confidential internal details into searches, and review Tavily's data handling terms if using it in a sensitive environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script transmits the user-provided search query to Tavily's external API but gives no explicit warning, consent prompt, or disclosure at runtime. This can cause inadvertent leakage of sensitive prompts, internal project names, credentials pasted into queries, or other confidential data to a third-party service.

External Transmission

Medium
Category
Data Exfiltration
Content
body.days = days;
}

const resp = await fetch("https://api.tavily.com/search", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
Confidence
95% confidence
Finding
fetch("https://api.tavily.com/search", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
body.days = days;
}

const resp = await fetch("https://api.tavily.com/search", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
Confidence
95% confidence
Finding
https://api.tavily.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal