tavily
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes external content from the internet without sufficient safeguards.
- Ingestion points: The
scripts/tavily.shscript fetches search results and raw web content via the Tavily API in thesearchandextractfunctions. - Boundary markers: Absent. The skill does not use delimiters or instructions to help the agent distinguish between its own logic and the untrusted data retrieved from the web.
- Capability inventory: The skill has broad capabilities including
Bash,Read,Write, andEditas listed in theallowed-toolssection ofSKILL.md. - Sanitization: Absent. The script processes the API response using
jqbut does not filter or sanitize the text content for potential malicious instructions before providing it to the agent. - [COMMAND_EXECUTION]: The script
scripts/tavily.shuses unsafe string interpolation when constructing the JSON payload for API requests. - Evidence: In both the
searchandextractfunctions, shell variables$queryand$max_resultsare directly interpolated into the JSON string passed to thecurlcommand (e.g.,"query": "$query"). If a user-provided query contains escaped double quotes or other JSON control characters, it could be used to manipulate the API request structure.
Audit Metadata