Xiaogua Tavily Search
Security checks across malware telemetry and agentic risk
Overview
This appears to be a coherent Tavily web-search skill, with expected API-key use and external search requests that users should understand before installing.
This skill looks reasonable for Tavily-based live search. Before installing, make sure you are comfortable providing a Tavily API key and sending search queries to Tavily; prefer the TAVILY_API_KEY environment variable, keep any local .secrets file private, and avoid using the skill for sensitive personal or confidential searches.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search terms and search options may be sent to Tavily whenever the skill is used.
The tool sends the user's search query and selected options to Tavily's external API, which is expected for a live web-search skill but is still an external data flow.
API_URL = "https://api.tavily.com/search" ... payload = { "api_key": api_key, "query": args.query, ... }Avoid searching for highly sensitive private information unless you are comfortable sending it to Tavily, and confirm the use of this skill when privacy matters.
Using the skill may consume Tavily API quota or incur account-level usage depending on the user's Tavily plan.
The script reads a Tavily API key from a CLI argument, environment variable, or local secrets file. This is purpose-aligned, but it uses the user's Tavily account authority and quota.
env_key = os.environ.get("TAVILY_API_KEY", "").strip() ... skill_dir / ".secrets" / "tavily.key"Use a dedicated Tavily key if possible, keep .secrets/tavily.key private, and set provider-side usage limits where available.