← 返回 Skills 市场
418
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install tavily-search-darry
功能描述
Tavily 搜索 API 集成 | Tavily Search API Integration. 高质量网络搜索、新闻聚合、信息调研 | High-quality web search, news aggregation, research. 触发词:搜索、search、tavily、新闻.
安全使用建议
This skill largely does what it says (Tavily search/crawl/extract/research), but review the following before installing: 1) The scripts rely on tools not listed in metadata (curl, jq, base64, npx). Ensure these binaries are present or install them beforehand. 2) On first run the scripts will call 'npx -y mcp-remote ...' which downloads and executes a package from npm to run an OAuth flow — if you prefer not to fetch code at runtime, set TAVILY_API_KEY manually in your agent settings and avoid the OAuth path. 3) The scripts search your home directory for ~/.mcp-auth/*_tokens.json; they only accept tokens whose JWT issuer matches https://mcp.tavily.com/ and check expiry, but this still reads local token cache files — if that is sensitive, run the skill in an isolated environment or remove/inspect that directory first. 4) Network calls target mcp.tavily.com (and docs mention api.tavily.com); verify these domains are expected. If you need lower risk, request the same functionality from a version that documents required binaries and avoids runtime npx fetches. If you decide to proceed, consider specifying TAVILY_API_KEY manually and running in a sandboxed environment.
功能分析
Type: OpenClaw Skill
Name: tavily-search-darry
Version: 1.0.0
The skill bundle provides integration with Tavily APIs but implements high-risk automated credential discovery. The scripts (crawl.sh, extract.sh, research.sh, and search.sh) recursively search the user's home directory (~/.mcp-auth/) for OAuth tokens and use 'npx' to execute a remote package (mcp-remote) to initiate authentication flows. While the scripts include a security check to verify the JWT issuer is 'https://mcp.tavily.com/' before using a token, the automated scanning of sensitive configuration directories for credentials and the background execution of remote packages represent significant risky capabilities that exceed standard API integration patterns.
能力评估
Purpose & Capability
Name/description match the implemented behavior: scripts call Tavily MCP endpoints (https://mcp.tavily.com) for search/crawl/extract/research and can save crawl output to local files. However, the skill metadata only declares 'bash' as a required binary while the scripts also rely on curl, jq, base64, date, and npx at runtime—these are not declared. The scripts also attempt to discover an OAuth token from a local cache (~/.mcp-auth), which is consistent with an OAuth-friendly client but is not documented in the registry metadata as a required config/access.
Instruction Scope
Runtime instructions and included scripts will: (a) read files under $HOME/.mcp-auth searching for '*_tokens.json', (b) run npx -y mcp-remote to initiate an OAuth browser flow (downloads and executes code from npm at runtime), (c) make outbound HTTPS requests to mcp.tavily.com, and (d) write crawled pages to any output directory you pass. Reading the local MCP auth cache is scope-relevant for OAuth but may be surprising because it inspects user files and could encounter other token files; the script tries to validate tokens by checking the JWT issuer and expiry, which mitigates but does not eliminate the concern.
Install Mechanism
There is no formal install spec, but the scripts call npx -y mcp-remote at runtime. npx will fetch and execute a package from the public npm registry on demand (transient download/execute). That is a moderate-to-high install-time risk compared with an instruction-only script that does not fetch code. The rest of the skill files are local shell scripts (no packaged third-party install), so the primary runtime risk is dynamic npx execution.
Credentials
The skill does not declare any required environment variables in registry metadata, but the scripts use TAVILY_API_KEY if present and will attempt to obtain an OAuth token from ~/.mcp-auth if not. Requesting/using a Tavily API token is proportional to the skill's purpose. Two small issues: (1) TAVILY_API_KEY is optional but not documented in the metadata 'requires.env' (user-facing docs in SKILL.md do mention it), and (2) the script reads ~/.mcp-auth token files — while it filters tokens by issuer and expiry, it still inspects local auth caches which could contain tokens for other tools if stored there.
Persistence & Privilege
The skill is not always: true and does not request persistent elevated platform privileges. It writes crawl output only to an explicit output directory you pass, and it does not modify other skills or global agent settings. Runtime npx execution is transient and not a declared persistent install.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install tavily-search-darry - 安装完成后,直接呼叫该 Skill 的名称或使用
/tavily-search-darry触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of tavily-search-darry skill.
- Integrates Tavily Search API for high-quality web search, news aggregation, and research.
- Provides features such as intelligent search, content extraction, relevance scoring, and advanced news filtering.
- Includes support for domain filtering and multiple research tools (crawl, extract, research).
- Offers shell script examples for basic and advanced usage.
- Authentication via Tavily API Key or OAuth.
元数据
常见问题
Tavily Search 是什么?
Tavily 搜索 API 集成 | Tavily Search API Integration. 高质量网络搜索、新闻聚合、信息调研 | High-quality web search, news aggregation, research. 触发词:搜索、search、tavily、新闻. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 418 次。
如何安装 Tavily Search?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install tavily-search-darry」即可一键安装,无需额外配置。
Tavily Search 是免费的吗?
是的,Tavily Search 完全免费(开源免费),可自由下载、安装和使用。
Tavily Search 支持哪些平台?
Tavily Search 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Tavily Search?
由 迩康(@darryek)开发并维护,当前版本 v1.0.0。
推荐 Skills