Liang Tavily Search 1.0.1
PassAudited by ClawScan on May 10, 2026.
Overview
This is a straightforward Tavily web-search skill that sends search queries to Tavily using an API key, with only minor provenance and credential-handling notes to review.
Before installing, verify the publisher/source because the registry metadata and bundled _meta.json do not fully match. If you proceed, treat searches as being sent to Tavily and protect your TAVILY_API_KEY like any other API credential.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Tavily API key will be used to authenticate searches, and Tavily will receive the search queries you run.
The script reads a Tavily API key from the environment and uses it as a Bearer token for the Tavily search API. This is expected for this integration and there is no evidence of unrelated credential use or leakage.
const apiKey = (process.env.TAVILY_API_KEY ?? "").trim(); ... "Authorization": `Bearer ${apiKey}`Use a Tavily API key with the minimum access needed, keep it private, and avoid searching for highly sensitive private information unless you are comfortable sending it to Tavily.
The skill behavior appears simple and coherent, but the package origin and metadata consistency are not fully clear from the provided artifacts.
The package source is not identified and the registry metadata does not fully match the included _meta.json. This does not show malicious behavior, but it is a provenance inconsistency worth checking.
Source: unknown; Registry metadata owner/version/slug differ from _meta.json ownerId/slug/version
Confirm that this is the intended Tavily search skill and that you trust the publisher before installing.