ClawHub

Xiaogua Tavily Search

v1.0.2

Tavily-powered live web search skill for current information, news, online research, source gathering, and fallback web search when built-in web_search is ra...

0· 101·0 current·0 all-time
bylt@taowolf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, and the included Python script consistently implement a Tavily-backed live web search. The operations (query, ranking, deduplication, noisy-domain suppression) are implemented in the script and make sense for the stated purpose. Incoherence: the registry metadata lists no required env vars, but both SKILL.md and the script require TAVILY_API_KEY (or --api-key / .secrets/tavily.key).
Instruction Scope
SKILL.md instructs the agent/user to provide a Tavily API key and run the script; the script follows those instructions and only reads the declared locations (TAVILY_API_KEY env var, --api-key, or .secrets/tavily.key inside the skill folder). It does not read other system files or unexpected config paths.
Install Mechanism
There is no install spec. The skill is instruction-only with a bundled Python script that uses only the standard library (urllib, json, argparse, pathlib). No external downloads, package installs, or non-standard install actions are present.
Credentials
The only secret the skill requires is a Tavily API key, which is proportionate to a third-party search API. The script sends that key in a JSON POST to https://api.tavily.com/search (expected for this service). Note the registry metadata omission: the package metadata did not list TAVILY_API_KEY as required, which is misleading and should be corrected.
Persistence & Privilege
always:false and no code attempts to modify other skills or system-wide settings. The skill does not request elevated or persistent system privileges.
Assessment
This skill appears to do what it says: it posts your query (and the provided TAVILY_API_KEY) to Tavily and returns ranked results. Before installing: (1) be aware you must supply a Tavily API key (set TAVILY_API_KEY or pass --api-key); the registry metadata failing to declare this is an inconsistency. (2) Inspect the API endpoint (https://api.tavily.com/search) and confirm you trust it. (3) Do not commit your API key to source control — prefer environment variables for shared installs. (4) If you have concerns about network exfiltration, run the script in an isolated environment and monitor outbound requests. (5) If you choose to proceed, consider correcting the registry metadata or contacting the publisher to avoid confusion about required credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fbh7t8wtgpzpz8vde42hnfx833g4k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments