ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tavily Web Search Skill for OpenClaw 🦀

v1.0.0

use this when the user asks to search the web, look up recent information, check current events, gather online sources, or research a topic using tavily search.

9· 11.2k·84 current·90 all-time
byGöktuğ Ceyhan@goktugcy

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for goktugcy/tavily-web-search-for-openclaw.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Tavily Web Search Skill for OpenClaw 🦀" (goktugcy/tavily-web-search-for-openclaw) from ClawHub.
Skill page: https://clawhub.ai/goktugcy/tavily-web-search-for-openclaw
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install tavily-web-search-for-openclaw

ClawHub CLI

Package manager switcher

npx clawhub@latest install tavily-web-search-for-openclaw
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, and code align: the script POSTs queries to https://api.tavily.com/search and returns search results. Requested capability (Tavily search) matches the actual network calls; there are no unrelated credentials, binaries, or endpoints beyond Tavily. However, registry metadata did not declare the Tavily API key as a required credential even though the skill clearly needs one, which is an inconsistency.
!
Instruction Scope
The SKILL.md and README say the API key can be supplied via --api-key, TAVILY_API_KEY, or .secrets/tavily.key. The script's CLI parser declares a --api-key argument but load_api_key() never reads command-line args or the TAVILY_API_KEY environment variable — it only attempts to read ../.secrets/tavily.key. That mismatch means the documented/advertised ways to provide credentials aren't actually supported by the code; agent runtime instructions that rely on those methods will fail or behave differently than documented.
Install Mechanism
No install spec (instruction-only) and the code uses only Python standard library (urllib). Nothing is downloaded from arbitrary URLs and no extract/install steps are present. Risk from install mechanism is low.
Credentials
The only secret required is a Tavily API key, which is proportionate to a web-search skill. But the registry metadata did not list this required credential, and the SKILL.md/README claim multiple key-supply methods that the script does not honor. Also the script sends the API key in the JSON payload to api.tavily.com — network egress will occur and the key is transmitted to that endpoint.
Persistence & Privilege
always is false, the skill is user-invocable and can be invoked autonomously (platform default). The skill does not request persistent system-wide changes or additional privileges, nor does it modify other skills' configurations.
What to consider before installing
This skill generally does what it claims (calls Tavily's search API), but there are clear inconsistencies you should address before trusting it: - The script only reads the API key from ../.secrets/tavily.key (relative to the scripts directory). Contrary to the docs, it does not actually read the TAVILY_API_KEY environment variable or the --api-key argument. If you plan to provide the key via env or CLI, update the script to check os.environ or args.api_key first. - Because the key is transmitted in the request payload, ensure you trust the domain https://api.tavily.com and that TLS is enforced by your environment. Confirm the API key's scope and rotation policy in Tavily. - The registry metadata omitted the required credential; treat that as an engineering oversight and verify the installation instructions before automated deployment. - If you install: place the key only in the .secrets/tavily.key file with strict permissions (chmod 600), do not commit it, and consider running the skill in a restricted network environment if you need stronger egress controls. - Optional improvements: modify scripts/tavily_search.py to honor args.api_key and os.environ['TAVILY_API_KEY'], and to avoid embedding the API key in logs. If you are uncomfortable, test the script in an isolated environment first or prefer an official SDK maintained by a trusted source.

Like a lobster shell, security has layers — review code before you run it.

latestvk972zb247h2fhkjszz412c008582pth3
11.2kdownloads
9stars
1versions
Updated 10h ago
v1.0.0
MIT-0
Göktuğ Ceyhan@goktugcy
latest
Download

Tavily Search

Use this skill for web search and lightweight research through the Tavily Search API.

Requirements

A valid Tavily API key must be available through one of these methods:

  1. --api-key
  2. TAVILY_API_KEY
  3. {baseDir}/.secrets/tavily.key

If no key is available, explain that Tavily search is not configured in this environment.

Command

Run:

python3 {baseDir}/scripts/tavily_search.py --query "<user query>"

Comments

Loading comments...