tavily-search-and-fetch
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (LOW): The skill fetches content from the web and provides it to the agent, creating a surface for indirect prompt injection where instructions embedded in external web pages could influence agent behavior. \n
- Ingestion points:
tavily_crawl.sh,tavily_extract.sh,tavily_search.sh, andtavily_research.shingest data from external URLs. \n - Boundary markers: The scripts use Markdown headers to separate results but lack explicit instructions for the agent to disregard instructions within the fetched text. \n
- Capability inventory: The skill allows writing to the filesystem via the
--output-fileand--output-dirarguments. \n - Sanitization:
tavily_crawl.shsanitizes URL-derived filenames, buttavily_research.shdoes not validate or sanitize the path provided to the--output-fileargument, which could be exploited if the agent's parameters are manipulated. \n- EXTERNAL_DOWNLOADS (SAFE): The skill installsjqvia Homebrew as specified in the metadata. This is a common and verifiable dependency installation. \n- DATA_EXFILTRATION (LOW): The scripts perform network operations toapi.tavily.com. While necessary for the skill's purpose, the domain is not on the predefined whitelist. The TAVILY_API_KEY is handled via environment variables, which is a secure practice.
Audit Metadata