ClawHub

Claw Tavily Search Pro

v1.0.0

AI-optimized web search via Tavily API. Returns concise, relevant results for AI agents.

0· 77·1 current·1 all-time
by@williamwang-wh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the behavior: both scripts call Tavily endpoints (api.tavily.com) and the skill requires TAVILY_API_KEY and node. Required binaries and env vars are appropriate and proportional for a web-search integration.
Instruction Scope
SKILL.md instructs running the included Node scripts which only POST queries/URLs to Tavily and print results. Note: user queries and any provided URLs are transmitted to api.tavily.com (expected for a search/extract skill). The instructions do not read other system files or unrelated environment variables.
Install Mechanism
No install spec (instruction-only) and included code is small and readable. Nothing is downloaded from untrusted URLs and no archives are extracted.
Credentials
Only TAVILY_API_KEY is required (declared as primaryEnv). The scripts only read that env var and use it in requests to the Tavily API — this is proportionate to the stated purpose.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or agent-wide settings, and is user-invocable by default. Autonomous agent invocation is allowed by platform default but is not excessive here.
Assessment
This skill appears to do what it claims: it sends your queries and any URLs you pass to Tavily's API and prints back the returned snippets. Before installing, confirm you trust tavily.com and are comfortable sending queries (and any URLs) to that external service. Only supply an API key with permissions you intend for this use; do not pass sensitive secrets or personal data through the skill. Note a minor packaging inconsistency: _meta.json uses a different ownerId/slug than the registry metadata — likely a metadata packaging issue but worth confirming the publisher's identity if provenance matters to you.
scripts/extract.mjs:18
Environment variable access combined with network send.
scripts/search.mjs:42
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk971w1z9b9wb9g59yztqk8n0hs83xa6v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binsnode
EnvTAVILY_API_KEY
Primary envTAVILY_API_KEY

Comments