tavily-web

SUSPICIOUS. The stated purpose is coherent for a Tavily-based web research skill, and the Tavily API key requirement is proportionate, but the skill is distributed as a third-party transitive skill install from an unverified community source and processes untrusted web content that could indirectly influence an agent with broader permissions. With no confirmed malicious data exfiltration or mismatched credential scope, this is not confirmed malware, but it carries medium security risk.