tavily
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFE
Full Analysis
- [DATA_EXFILTRATION]: The skill transmits the API key to a remote service.
- Evidence: scripts/extract.mjs and scripts/search.mjs send the TAVILY_API_KEY to https://api.tavily.com.
- Context: This is a required operation for a well-known service associated with the skill's purpose. No sensitive local files are accessed or transmitted.
- [PROMPT_INJECTION]: The skill identifies a surface for indirect prompt injection by processing external web data.
- Ingestion points: scripts/extract.mjs (URL extraction) and scripts/search.mjs (search results and AI-generated answers).
- Boundary markers: Content is output directly to the console without additional delimiters.
- Capability inventory: The skill is restricted to standard network requests and console output; it does not possess capabilities for file modification or arbitrary code execution.
- Sanitization: Data is used as received from the API without specific sanitization for injection patterns.
Audit Metadata