tavily-web

This skill's README fragment describes a plausible web-research capability that legitimately requires an API key and network access. The primary supply-chain/security concerns are procedural: (1) the installation method (npx skills add) introduces a transitive installation risk because it downloads and executes third-party skill code into the agent environment, and (2) the documentation does not explicitly show trusted Tavily endpoints or telemetry/forwarding behavior, so it is not possible from this fragment to confirm that credentials and extracted content are sent only to the official Tavily API. No code was provided to show direct evidence of malicious behavior (no hardcoded credentials, no download-and-execute commands, no suspicious domains), so confirmed malware is unlikely based on the provided text. However, because installation causes remote code execution in the agent context and the handling of the API key/endpoints is opaque, there is a moderate supply-chain risk: review the skill's repository code before installing and avoid providing high-privilege credentials until the code is audited.