ClawHub

Tavily Search

v1.0.0

Tavily AI Search API integration for OpenClaw. Provides web search capabilities using Tavily's AI-powered search engine.

0· 129·0 current·0 all-time
by@ryan-wuxl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description (Tavily AI search) matches the instructions and example code (TavilyClient.search). However the registry metadata listed no required env vars while the SKILL.md metadata and usage clearly expect a TAVILY_API_KEY and a Python package (tavily-python). This metadata mismatch should be resolved but does not itself indicate malicious intent.
Instruction Scope
SKILL.md only instructs using the Tavily client, setting an API key via ~/.openclaw/openclaw.json or the TAVILY_API_KEY env var, and calling tavily_client.search(). It does not instruct reading unrelated files, touching unrelated credentials, or exfiltrating data to unexpected endpoints.
Install Mechanism
This is an instruction-only skill with no install spec. SKILL.md metadata lists a Python dependency (tavily-python) but provides no install steps. That is a harmless but important omission: the runtime must already have the dependency or the agent will need to install it (pip), which is not described here.
Credentials
The only secret the skill needs is a Tavily API key (TAVILY_API_KEY), which is appropriate for a web-search API integration. The concern is the registry metadata mismatch (declares no required env) vs SKILL.md declaring the key. Also SKILL.md suggests storing the key in ~/.openclaw/openclaw.json (plaintext config), so consider secret handling practices.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and only asks to enable itself in the user's OpenClaw config. That level of persistence is typical and proportional to the function.
Assessment
What to consider before installing: - Confirm the GitHub homepage (https://github.com/ryan-wuxl/tavily-search) and review the repo to ensure it matches the SKILL.md and is trustworthy. - The SKILL.md expects a TAVILY_API_KEY and a Python package (tavily-python), but the registry metadata omitted these — verify you will provide the API key (env or openclaw.json) and that the runtime will have or will safely install the tavily-python package. - Storing the API key in ~/.openclaw/openclaw.json stores it in plaintext; if you prefer, provide the key via environment variable and/or use a scoped key with limited permissions and the ability to rotate it. - Because this is an instruction-only skill (no code shipped), it is low risk from arbitrary downloads, but the agent will contact Tavily's API when used — only install if you trust Tavily and you are comfortable with queries being sent to that external service. - If you have strict supply-chain or network policies, ask how/timing the tavily-python dependency will be installed (if needed) and consider reviewing that package before allowing installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a8dcc9zrgta5863y1p953xx83dva4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Environment variables
TAVILY_API_KEYrequired

Comments