Tavily Skill

Use Tavily API for real-time web search and content extraction. Use when: user needs real-time web search results, research, or current information from the...

What to consider before installing: - The skill's code and examples are simple and do what the description says, but the registry metadata failed to declare the required TAVILY_API_KEY. Ask the publisher to update the metadata to list that env var/primary credential so platform gating and user warnings work correctly. - The script sends search queries and content to api.tavily.com. Do not include secrets or sensitive personal data in queries. - If you provide an API key, prefer using an environment variable rather than adding long-lived keys to shared openclaw.json; if you must store it in config, ensure the file is protected and rotate the key periodically. - Verify the publisher (check the tavily.com homepage and owner identity) before trusting the key with this skill. Test with a low-privilege or limited-usage API key first. - Because metadata omission is a visibility issue, treat this as a sign of sloppy packaging rather than proof of malicious intent — but correct the metadata or proceed only after verifying the source.

Type: OpenClaw Skill Name: tavily-skill Version: 1.0.0 The `tavily-search.sh` script contains a critical shell injection vulnerability. The `$QUERY` variable, which is derived directly from user input via the `--query` argument, is directly interpolated into the `curl -d` payload without proper sanitization. This allows an attacker to inject and execute arbitrary shell commands by crafting the `--query` argument (e.g., `--query "test$(evil_command)"`), leading to remote code execution. While this is a severe flaw, it is classified as 'suspicious' rather than 'malicious' as there is no clear evidence of intentional harmful behavior or self-exploitation, but rather a lack of input sanitization.