ClawHub

Liang Tavily Search 1.0.1

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Tavily web-search skill that sends search requests to Tavily as expected and shows no hidden persistence, unrelated data access, or destructive behavior.

Install this only if you are comfortable sending search queries and selected search options to Tavily and providing a Tavily API key. Avoid putting secrets, private documents, or sensitive personal data into queries unless that matches your data-handling requirements.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code sends the user-provided query and optional parameters such as included/excluded domains and raw-content requests to Tavily over the network. Although network access is central to a search tool, the script itself provides no explicit warning, confirmation, or privacy disclosure that user input will be transmitted to a third-party service.

External Transmission

Medium
Category
Data Exfiltration
Content
if (includeDomains.length > 0) body.include_domains = includeDomains;
if (excludeDomains.length > 0) body.exclude_domains = excludeDomains;

const resp = await fetch("https://api.tavily.com/search", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
Confidence
60% confidence
Finding
fetch("https://api.tavily.com/search", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
if (includeDomains.length > 0) body.include_domains = includeDomains;
if (excludeDomains.length > 0) body.exclude_domains = excludeDomains;

const resp = await fetch("https://api.tavily.com/search", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
Confidence
50% confidence
Finding
https://api.tavily.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal