ClawHub

Tavily 搜索

v0.1.0

Web search via Tavily API (alternative to Brave). Use when the user asks to search the web / look up sources / find links and Brave web_search is unavailable...

214· 81.8k·1.2k current·1.2k all-time
byXiaoran Li@jacky1n7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md implement a web-search using Tavily's API (POST to https://api.tavily.com/search), which is coherent with the skill's name/description. However, the registry metadata claims 'Required env vars: none' and 'Primary credential: none' while the script and SKILL.md require a TAVILY_API_KEY — an inconsistency that should have been declared in the registry entry.
Instruction Scope
Runtime instructions are narrowly scoped: run the bundled Python script with a query; the script only reads an API key (env or ~/.openclaw/.env), constructs a JSON payload, and posts it to Tavily. It does not enumerate/collect arbitrary local files, system secrets, or other unrelated data.
Install Mechanism
This is an instruction-only skill with an included script and no install spec. Nothing is downloaded or installed automatically; code is run from the workspace. Low install risk.
!
Credentials
The script requires a TAVILY_API_KEY (environment variable or line in ~/.openclaw/.env) but the registry metadata does not list any required credentials. Reading ~/.openclaw/.env can be surprising to users (although the script only extracts the TAVILY_API_KEY). The missing declaration in metadata and implicit file access reduce transparency and are disproportionate to what was advertised in the registry entry.
Persistence & Privilege
The skill does not request persistent or elevated privileges, 'always' is false, and it does not modify other skills or system-wide settings.
What to consider before installing
This script appears to do exactly what it says — call Tavily's search API and return results — but there are a few caution points: (1) the registry metadata did not declare the required TAVILY_API_KEY; you will need to provide that key (via env var or ~/.openclaw/.env). (2) There is no homepage or source provenance listed; if you don't already trust api.tavily.com or the package owner, verify who operates Tavily and whether you want to share queries and an API key with that service. (3) Prefer exporting TAVILY_API_KEY in a restricted environment variable rather than storing other secrets in ~/.openclaw/.env; consider creating a dedicated API key with limited scope. (4) If you have security concerns, review the script (it's small and readable) and consider running it in an isolated environment before giving it access to a production agent.

Like a lobster shell, security has layers — review code before you run it.

latestvk97deqsbg40w5vcbf12c6n0h0981wpab

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments