Multi-Engine Web Search

This skill appears to implement a sensible multi-engine search, but there are a few red flags you should consider before installing or using it: - The registry metadata does not declare the TAVILY_API_KEY or the ~/.openclaw/.env config file, yet both the SKILL.md and the script read that key — verify the skill owner updates the manifest. Do not assume required credentials are harmless because they are not declared. - The script will execute external programs at runtime: agent-browser (npm tool) and an external tavily_search.py at ../../openclaw-tavily-search/scripts/tavily_search.py if present. That means code outside this skill could be invoked. Before use, inspect any referenced helper scripts (openclaw-tavily-search) and ensure agent-browser is from a trusted source. - The skill may send your TAVILY_API_KEY to https://api.tavily.com during direct API calls. Only provide that key if you trust Tavily and are comfortable placing the key in your environment or ~/.openclaw/.env. Avoid storing highly sensitive credentials in that file unless you control its security. - Runtime network access and subprocess execution are necessary for browser-based scraping; if you need a stricter security posture, run this in an isolated environment or require the agent to prompt before invoking subprocesses. What would change this assessment: if the registry manifest were corrected to declare TAVILY_API_KEY and the config path, and if the package included or documented the exact external helper scripts (so you can review them), the inconsistencies would be resolved and this could be considered benign. If you cannot review the referenced external scripts or you are not willing to provide an API key, treat the skill with caution or avoid installing it.