Is 0xjordansg-yolo/ai-native-websearch-via-tavily-api-returns-concise-relevant-results-for-openclaw safe?

https://github.com/openclaw/skills/tree/main/skills/0xjordansg-yolo/ai-native-websearch-via-tavily-api-returns-concise-relevant-results-for-openclaw

77
CAUTION

This skill provides web search via a third-party proxy (AIsa/Tavily) and is structurally clean with no prompt injection, no canary file access, and benign install behavior. However, the actual source code of both executable scripts (search.mjs, extract.mjs) is missing from the audit evidence, preventing verification of their behavior. The third-party proxy architecture means all search queries pass through an opaque intermediary, and the URL extraction feature introduces potential SSRF risk.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 62/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (6)

HIGH Executable scripts with unverifiable source code -30

The skill ships two .mjs files (search.mjs and extract.mjs) that are executed via the node runtime, but their source code was not captured during evidence collection. Without source review, we cannot confirm the scripts only perform their stated search/extract functions and do not contain hidden data collection, credential harvesting, or reverse shell capabilities.

MEDIUM All queries routed through opaque third-party proxy -25

Search queries are sent to AIsa's unified API gateway (aisa.one) rather than directly to Tavily's API. This intermediary has full visibility into all search queries, which may contain sensitive project context, code snippets, or internal information that the user asks the agent to research. The proxy operator could log, analyze, or exfiltrate this data.

MEDIUM Arbitrary URL extraction capability -13

The extract.mjs script accepts any URL as input (node {baseDir}/scripts/extract.mjs "https://example.com/article"), which could be used to probe internal network resources, access metadata endpoints (e.g., cloud instance metadata at 169.254.169.254), or exfiltrate data by encoding it in URL parameters sent to attacker-controlled endpoints.

LOW External URL references in skill documentation -8

SKILL.md references external URLs (aisa.one, marketplace.aisa.one) for API key acquisition. While these are informational and not agent fetch targets, they direct users to third-party services outside the skill ecosystem.

INFO Clean installation behavior with no anomalous activity -5

The installation process showed only expected network connections (GitHub for clone, Ubuntu repos for system operations) and standard filesystem activity. No connections to the skill's declared API endpoints occurred during install.

INFO Lock file references unrelated skill -5

The .clawhub/lock.json references 'academic-research-hub' skill version 0.1.0, which appears unrelated to this Tavily search skill. This is likely a benign artifact of the skill registry system but is noted for completeness.