Tavily Search
Security checks across malware telemetry and agentic risk
Overview
The Tavily search skill is mostly purpose-aligned, but it includes an undocumented wrapper that can turn a search query into local shell command execution.
Review or remove openclaw-wrapper.js before installing. The direct search.mjs and extract.mjs scripts are straightforward Tavily API clients, but use a dedicated Tavily API key and avoid sending confidential queries, private URLs, or internal resources to Tavily.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
64/64 vendors flagged this skill as clean.