ClawHub

Tavily Search

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Tavily search integration that sends user-directed searches, URLs, crawl targets, and research prompts to Tavily using the user’s API key.

Install only if you intend to use Tavily and are comfortable sending search terms, URLs, crawl targets, and research prompts to Tavily. Keep the API key private, avoid submitting secrets or internal-only URLs, monitor credit usage, and use domain/path filters and conservative crawl limits for broad crawls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares required environment variables and clearly performs outbound network operations, yet no explicit permissions are declared. This weakens user consent and platform control because a user may install a seemingly simple search skill without being warned that it reads secrets and transmits data externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The top-level description frames the skill as search/news retrieval, but the documented behavior also includes website crawling, deep research job orchestration, and usage/account queries. That mismatch can cause users to authorize broader capabilities than they intended, especially crawling external sites or exposing account-level usage metadata.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill encourages content extraction and whole-site crawling, including optional external-domain crawling, but provides no warning that user-supplied URLs, queries, crawled content, and possibly sensitive internal targets may be transmitted to a third-party service. In an agent setting, this can lead to privacy leakage, collection of unintended third-party data, or scanning/crawling behavior beyond user expectations.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script silently reads a local .env file and loads an API key without any explicit disclosure to the user. In an agent-skill context, implicit secret consumption is risky because users may not realize the skill accesses local credentials and will authenticate outbound requests automatically.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
User search queries and related parameters are sent to Tavily's external API, but the script provides no user-facing warning or consent mechanism. In an agent setting, queries may contain sensitive internal data, so undisclosed outbound transmission creates a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The extract operation transmits user-supplied URLs and optional query text to an external service without explicit notice. Those URLs may reference private, internal, or sensitive resources, so silent forwarding to a third party can expose data or metadata unexpectedly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Research task creation sends arbitrary user-provided research input to a third-party API with no warning. Research prompts often contain proprietary questions, internal project names, or confidential context, so undisclosed transmission is a meaningful privacy and compliance concern.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Crawl requests can send URLs plus free-form crawl instructions to an external API without a clear warning, and the feature allows broad collection of remote content. In skill context this is more dangerous because a user may unintentionally cause internal or sensitive targets to be crawled and disclosed to a third party.

External Transmission

Medium
Category
Data Exfiltration
Content
"Authorization": f"Bearer {self.api_key}"
        }
        
        response = requests.post(f"{self.base_url}/search", json=payload, headers=headers)
        response.raise_for_status()
        return response.json()
Confidence
94% confidence
Finding
requests.post(f"{self.base_url}/search", json=

External Transmission

Medium
Category
Data Exfiltration
Content
"Authorization": f"Bearer {self.api_key}"
        }
        
        response = requests.post(f"{self.base_url}/extract", json=payload, headers=headers)
        response.raise_for_status()
        return response.json()
Confidence
94% confidence
Finding
requests.post(f"{self.base_url}/extract", json=

External Transmission

Medium
Category
Data Exfiltration
Content
"Authorization": f"Bearer {self.api_key}"
        }
        
        response = requests.post(f"{self.base_url}/research", json=payload, headers=headers)
        response.raise_for_status()
        return response.json()
Confidence
94% confidence
Finding
requests.post(f"{self.base_url}/research", json=

External Transmission

Medium
Category
Data Exfiltration
Content
"Authorization": f"Bearer {self.api_key}"
        }
        
        response = requests.post(f"{self.base_url}/crawl", json=payload, headers=headers)
        response.raise_for_status()
        return response.json()
Confidence
96% confidence
Finding
requests.post(f"{self.base_url}/crawl", json=

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
urllib3>=2.0.0
Confidence
94% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
urllib3>=2.0.0
Confidence
94% confidence
Finding
urllib3>=2.0.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
90% confidence
Finding
requests

Known Vulnerable Dependency: urllib3 — 10 advisory(ies): CVE-2025-66471 (urllib3 streaming API improperly handles highly compressed data); CVE-2024-37891 (urllib3's Proxy-Authorization request header isn't stripped during cross-origin ); CVE-2026-21441 (Decompression-bomb safeguards bypassed when following HTTP redirects (streaming ) +7 more

High
Category
Supply Chain
Confidence
92% confidence
Finding
urllib3

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal