gemini-tavily-search
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The script
scripts/tavily_search.shexecutesnpx -y mcp-remoteto facilitate the OAuth flow or connect to Tavily's MCP server. This command downloads and executes a package from the npm registry at runtime without version pinning. - [DATA_EXFILTRATION]: The skill accesses sensitive local files in the
~/.mcp-authdirectory. Thescripts/tavily_search.shscript searches for*_tokens.jsonfiles and readsaccess_tokenvalues to authenticate requests to the Tavily API. While intended for its core functionality, this involves accessing credential stores in the user's home directory. - [COMMAND_EXECUTION]: The skill requires the execution of shell scripts and suggests using
sudoin itsREADME.mdfor the installation of system dependencies likecurlandjq. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its processing of untrusted external web content.
- Ingestion points: Search results and snippets are retrieved from external providers (Google and Tavily) and injected into the agent's context in
scripts/gemini_tavily_search.shandscripts/tavily_search.sh. - Boundary markers: The skill returns data as JSON but does not provide specific instructions or delimiters to the LLM to ignore potentially malicious instructions embedded within the snippets.
- Capability inventory: The skill is capable of performing network requests via
curland executing shell commands through its distributed scripts. - Sanitization: The implementation does not perform sanitization, filtering, or escaping of the fetched search results before returning them to the agent.
Audit Metadata