← Back to Skills Marketplace
Topic Research
by
Abigale-cyber
· GitHub ↗
· v1.0.0
· MIT-0
96
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install topic-research
Description
Run a second-hop deep research pass through the Tavily CLI after an initial scan, then normalize the result into a local `research.md` contract. Use when Cod...
Usage Guidance
This skill legitimately wraps a Tavily CLI workflow to produce normalized research reports, but before installing or running it:
- Expect to install and trust a third‑party CLI (tvly). Audit the installer (https://cli.tavily.com/install.sh) before running curl | bash. Prefer installing from a reviewed package or vendor documentation if possible.
- Confirm the manifest is updated to declare 'tvly' as a required binary so the skill's declared requirements match its runtime needs.
- When creating the input markdown, avoid giving an absolute source_file that points outside the project (the skill will read absolute paths). Treat inputs as untrusted and run the skill in a workspace that contains no secrets.
- Be aware the skill will write files into content-production/inbox/ and content-production/inbox/raw/research/ and may overwrite existing files.
If you need higher assurance, request the author to: (1) add 'tvly' to required binaries in the registry metadata, (2) remove or restrict absolute-path reads for source_file, and (3) avoid recommending curl|bash installs in the README (or provide a pinned, auditable installer).
Capability Analysis
Type: OpenClaw Skill
Name: topic-research
Version: 1.0.0
The topic-research skill uses the Tavily CLI to perform deep research and generate reports. It is classified as suspicious due to a path traversal vulnerability in runtime.py; the resolve_source_file function allows the source_file parameter to be an absolute path, which could be exploited to read arbitrary files on the system (e.g., /etc/passwd) if a crafted input markdown is provided. While the README.md suggests a risky curl|bash installation method for the Tavily CLI, there is no evidence of intentional malicious behavior or data exfiltration in the code itself.
Capability Assessment
Purpose & Capability
The SKILL.md and runtime.py clearly require the 'tvly' (Tavily) CLI to be installed and available on PATH, and the README instructs running an external install script (curl | bash). However the registry metadata lists no required binaries or primary credential — that mismatch is incoherent. A research skill that depends on a third‑party CLI should declare that dependency explicitly in the manifest.
Instruction Scope
Instructions are focused on building a query, calling 'tvly research --json', parsing JSON, and writing a normalized markdown and raw JSON into content-production/inbox/. That matches the stated purpose. Two points to watch: (1) the code allows 'source_file' in frontmatter to be an absolute path and will read it as-is — that enables the skill to read arbitrary files if the input frontmatter is malicious or mistaken; (2) the skill will write files into repo-local paths (content-production/inbox/...), which is expected but may overwrite existing files without further safeguards.
Install Mechanism
The skill itself has no install spec (instruction-only), which is low-risk. But the README recommends installing Tavily via a remote install script (curl -fsSL https://cli.tavily.com/install.sh | bash). Installing third-party CLIs via curl|bash is a higher‑risk action and should be audited before execution. The skill does not ship or pin the Tavily binary and relies on whatever the remote installer provides.
Credentials
The skill requests no environment variables or credentials in the manifest, which is consistent with not embedding credentials. However, it depends on a logged-in Tavily CLI; Tavily will presumably access its own auth tokens/config locally (not declared here). Also, because 'source_file' can be absolute, an attacker or misconfigured input could point the skill at sensitive local files — this is a proportionality/design concern rather than explicit credential exfiltration in the skill itself.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform privileges. It writes outputs into repository-local directories and does not appear to modify other skills or global agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install topic-research - After installation, invoke the skill by name or use
/topic-research - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of the `topic-research` skill for deep research on selected topics.
- Runs a second-hop investigation using Tavily CLI, following an initial scan or news collection.
- Normalizes reports into a local `research.md` contract, including a writing decision layer to guide content follow-up.
- Requires a markdown input with YAML fields (topic, question, model, etc.).
- Outputs structured research reports and saves raw source data for traceability.
- Ensures strict dependency handling and consistent output format.
Metadata
Frequently Asked Questions
What is Topic Research?
Run a second-hop deep research pass through the Tavily CLI after an initial scan, then normalize the result into a local `research.md` contract. Use when Cod... It is an AI Agent Skill for Claude Code / OpenClaw, with 96 downloads so far.
How do I install Topic Research?
Run "/install topic-research" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Topic Research free?
Yes, Topic Research is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Topic Research support?
Topic Research is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Topic Research?
It is built and maintained by Abigale-cyber (@abigale-cyber); the current version is v1.0.0.
More Skills