v1.0.0

Liang Tavily Search 1.0.1

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:22 AM.

Analysis

This is a straightforward Tavily web-search wrapper that uses a Tavily API key as expected, with only minor provenance metadata inconsistency to notice.

GuidanceBefore installing, confirm this is the intended Tavily search package and provide only a Tavily API key you are comfortable using for search requests. Avoid putting private or secret information into search queries, because queries are sent to Tavily.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

_meta.json

"ownerId": "kn724ben7jjrcy3pebw2jbak3s8201cp", "slug": "liang-tavily-search", "version": "1.0.1"

This differs from the supplied registry metadata, which lists a different owner ID, slug, and version. The included code is simple and purpose-aligned, but the identity mismatch is a provenance detail to verify.

User impactA user could be uncertain whether this package metadata corresponds exactly to the registry entry they intended to install.

RecommendationVerify the publisher, version, and package source before installing, especially if relying on this skill in a managed or shared environment.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

scripts/search.mjs

const apiKey = (process.env.TAVILY_API_KEY ?? "").trim(); ... "Authorization": `Bearer ${apiKey}`,

The script uses the Tavily API key from the environment to authenticate to Tavily. This is expected for the stated web-search purpose, but it is still account credential use that users should recognize.

User impactSearches may consume the user's Tavily account quota and the API key authorizes requests to Tavily.

RecommendationUse a dedicated Tavily API key with appropriate limits, avoid sharing it, and rotate it if it may have been exposed.