tavily

SUSPICIOUS rather than benign: the stated purpose matches Tavily search, and the official Tavily API/domain are legitimate, but the skill's real behavior hinges on an unseen local shell script that retrieves a raw API key from `pass`. There is no evidence of overt malware or third-party exfiltration in the provided text, yet the hidden script, credential exposure path, and broader-than-needed write capabilities make the footprint only partially verifiable.