← Back to Skills Marketplace
Tavily Skill
by
fangkelvin
· GitHub ↗
· v1.0.0
1851
Downloads
0
Stars
21
Active Installs
1
Versions
Install in OpenClaw
/install tavily-skill
Description
Use Tavily API for real-time web search and content extraction. Use when: user needs real-time web search results, research, or current information from the...
Usage Guidance
What to consider before installing:
- The skill's code and examples are simple and do what the description says, but the registry metadata failed to declare the required TAVILY_API_KEY. Ask the publisher to update the metadata to list that env var/primary credential so platform gating and user warnings work correctly.
- The script sends search queries and content to api.tavily.com. Do not include secrets or sensitive personal data in queries.
- If you provide an API key, prefer using an environment variable rather than adding long-lived keys to shared openclaw.json; if you must store it in config, ensure the file is protected and rotate the key periodically.
- Verify the publisher (check the tavily.com homepage and owner identity) before trusting the key with this skill. Test with a low-privilege or limited-usage API key first.
- Because metadata omission is a visibility issue, treat this as a sign of sloppy packaging rather than proof of malicious intent — but correct the metadata or proceed only after verifying the source.
Capability Analysis
Type: OpenClaw Skill
Name: tavily-skill
Version: 1.0.0
The `tavily-search.sh` script contains a critical shell injection vulnerability. The `$QUERY` variable, which is derived directly from user input via the `--query` argument, is directly interpolated into the `curl -d` payload without proper sanitization. This allows an attacker to inject and execute arbitrary shell commands by crafting the `--query` argument (e.g., `--query "test$(evil_command)"`), leading to remote code execution. While this is a severe flaw, it is classified as 'suspicious' rather than 'malicious' as there is no clear evidence of intentional harmful behavior or self-exploitation, but rather a lack of input sanitization.
Capability Assessment
Purpose & Capability
The SKILL.md and included script clearly require a Tavily API key (TAVILY_API_KEY) and make requests to https://api.tavily.com, which matches the described purpose. However, the registry metadata lists no required environment variables or primary credential — an inconsistency between declared requirements and actual capability.
Instruction Scope
The runtime instructions and the bash script stay within the stated purpose: building a search request and calling Tavily's API using curl and jq. They do not read unrelated files or other credentials. The SKILL.md also suggests adding the key to openclaw.json (agent config), which expands where secrets might be stored but is within plausible configuration behavior.
Install Mechanism
This is an instruction-only skill with an included shell script and no install spec; it does not download arbitrary third-party code or run an installer. Required binaries (curl, jq) are reasonable and expected for the provided examples.
Credentials
The script and SKILL.md require TAVILY_API_KEY, but the skill metadata did not declare any required env vars or a primary credential. This omission could bypass metadata-based checks or gating and is disproportionate to the apparent complexity of the skill (it only needs one API key). Also storing the key in openclaw.json could persist the secret in agent config if used.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It does recommend adding the API key to openclaw.json, which would persist the key in agent configuration — this is normal but worth noting as it increases the persistence of the credential.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install tavily-skill - After installation, invoke the skill by name or use
/tavily-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of Tavily Search skill for real-time web search.
- Provides web search and content extraction via Tavily API.
- Includes setup and usage instructions, with curl and jq examples.
- Describes when to use versus alternatives like web_fetch or web_search.
- Outlines API parameters, error handling, and configuration methods.
- Requires a Tavily API key and system utilities (curl, jq).
Metadata
Frequently Asked Questions
What is Tavily Skill?
Use Tavily API for real-time web search and content extraction. Use when: user needs real-time web search results, research, or current information from the... It is an AI Agent Skill for Claude Code / OpenClaw, with 1851 downloads so far.
How do I install Tavily Skill?
Run "/install tavily-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Tavily Skill free?
Yes, Tavily Skill is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Tavily Skill support?
Tavily Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Tavily Skill?
It is built and maintained by fangkelvin (@fangkelvin); the current version is v1.0.0.
More Skills