tavily
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is designed to ingest untrusted data from arbitrary external websites via search, extraction, and crawling functions.
- Ingestion points: The
search,extract,crawl, andresearchendpoints retrieve and return raw web content (markdown/text) to the agent context (SKILL.md). - Boundary markers: There are no boundary markers or instructions defined to prevent the agent from following malicious instructions embedded in the retrieved web content.
- Capability inventory: The skill is intended for "multi-step investigations," implying that the agent will make decisions or take further actions based on the retrieved untrusted data.
- Sanitization: No sanitization or filtering of external content is performed before it is processed by the agent.
- [COMMAND_EXECUTION] (HIGH): The tool provides
curlcommand templates that use direct string interpolation for user-provided values like<query>and<urls>. - Evidence: In the
searchandextracttool mappings, variables are placed inside shell command strings. If the agent executing these commands does not properly escape shell metacharacters in the user-provided input, it could lead to arbitrary command execution on the host system. - [DATA_EXFILTRATION] (LOW): The skill makes network requests to
api.tavily.com. - Evidence: All tool mappings use
curlto send data and API keys tohttps://api.tavily.com. While this is the intended functionality, the domain is not on the pre-approved trusted list and represents a potential outbound path for sensitive environment variables likeTAVILY_API_KEY.
Recommendations
- AI detected serious security threats
Audit Metadata