Is tavily safe?

https://clawhub.ai/bert-builder/tavily

82
SAFE

The Tavily skill is a straightforward web search wrapper that provides AI-optimized search via the Tavily API. It contains no prompt injection, no hidden behaviors, and clean clone/install behavior. The primary risks are the standard ones inherent to any API-based search skill: queries are sent to an external service (tavily.com), and a third-party Python package (tavily-python) must be installed. No malicious intent detected.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (8)

MEDIUM Third-party pip dependency required -20

The skill requires 'pip install tavily-python' which pulls a package from PyPI. While tavily-python is a legitimate, well-known package, any pip install introduces supply chain risk. The package executes in the user's environment with full permissions.

MEDIUM User queries sent to external Tavily API -15

All search queries are transmitted to tavily.com's API servers. This is the expected and declared behavior of a search skill, but users should be aware that their queries leave the local environment. The API key is also transmitted.

LOW API key storage recommendations reference sensitive paths -5

SKILL.md recommends storing API keys in ~/.clawdbot/.env and Clawdbot config files. While these are standard locations, the skill documents these paths which could be useful to a future attacker analyzing the skill ecosystem.

LOW Documentation suggests unsafe command chaining -10

The SKILL.md integration patterns section shows piping search result URLs to curl via xargs, which could fetch content from arbitrary URLs returned by search results. If an agent follows this pattern, it could be tricked into fetching malicious content.

LOW Search capability enables information gathering for social engineering -8

In combination with other skills, the search capability could be used to gather personal information about targets. This is inherent to any search tool and not specific to this skill.

INFO No prompt injection patterns detected 0

SKILL.md contains only standard documentation, usage examples, and API reference material. No hidden instructions, no persona manipulation, no instruction overrides.

INFO Filesystem activity is from host environment, not skill 0

The monitored filesystem events (reads to .aws/credentials, .env, .profile, .bashrc, .openclaw/) are from the ClawdBot runtime environment performing its standard config scanning, not from the skill itself. The skill's install was clean.

INFO No install hooks or git hooks present 0

package.json is empty (no npm scripts), no .githooks directory, no .gitattributes filters, no git submodules, no symlinks. The skill has a clean installation footprint.