Back to skill
Skillv1.0.0
ClawScan security
Tavily Clone · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 6:28 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent and only requires a Tavily API key and Node; the only notable discrepancy is that the README claims source URLs are returned but the included script prints only the AI-generated answer.
- Guidance
- This skill is small and consistent: it runs a local Node script and requires only your TAVILY_API_KEY. Before installing, verify you trust Tavily and that sharing the API key with this skill is acceptable (the key is sent to api.tavily.com). Note the documentation claims source URLs will be returned, but the included script currently prints only the AI-generated answer — if you need the sources, inspect/modify scripts/search.mjs to log them (e.g., print data.sources or the full JSON). Also avoid running it in environments where secrets might be exposed to other users or logs, and review Tavily's terms and what data the API stores.
Review Dimensions
- Purpose & Capability
- noteName/description, required binary (node), and required env var (TAVILY_API_KEY) align with a Tavily-based search helper. Minor inconsistency: SKILL.md promises both an AI-generated summary and source URLs, but the shipped script only prints data.answer and does not output source URLs.
- Instruction Scope
- noteSKILL.md instructs running the bundled Node script with a query and references only the TAVILY_API_KEY; it does not direct the agent to read unrelated files or other env vars. The instruction text overpromises source URLs which the script does not print.
- Install Mechanism
- okNo install spec (instruction-only with a small included script). Nothing is downloaded or written to disk beyond the provided script.
- Credentials
- okOnly a single credential (TAVILY_API_KEY) is required and it is proportional to the stated purpose. The script sends that key to https://api.tavily.com/search in the request body, which is expected for an API-based integration.
- Persistence & Privilege
- okSkill does not request persistent presence (always:false), does not modify other skill or system configs, and runs only when invoked.