by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's code and docs legitimately implement a Tavily web-search/crawl client, but the package/registry metadata fail to declare the required API credential (TAVILY_API_KEY) and provenance details, which is an incoherence you should confirm before installing.
评估建议
This skill appears to do what it claims (a Tavily-based search/crawl client), but the package metadata omitted the required API credential. Before installing or running it: 1) Confirm the provenance of @tavily/core and tavily.com (verify official package/website and review the package source on the registry). 2) Expect to supply TAVILY_API_KEY — treat it as a secret and do not paste long-lived credentials into shared prompts or public places. 3) Inspect the @tavily/core package code (or vendor d...详细分析 ▾
⚠ 用途与能力
Name, description, SKILL.md and scripts/tavily.js consistently implement a Tavily search/extract/crawl/map/research client — that capability matches the stated purpose. However, the registry metadata declares no required environment variables or primary credential while the README and the script both require a TAVILY_API_KEY. The missing declared credential in metadata is an inconsistency.
✓ 指令范围
SKILL.md and scripts only instruct the agent/user to call the Tavily API via the @tavily/core client, install that npm package, and set TAVILY_API_KEY. There are no instructions to read unrelated files, other env vars, or to send data to endpoints other than Tavily. The runtime script prints results to stdout (which may leak scraped content if run in shared environments).
✓ 安装机制
No install spec is included for the skill bundle itself (instruction-only), but package.json lists @tavily/core as a dependency and SKILL.md instructs npm install @tavily/core. This is a normal, low-risk npm dependency pattern. There are no downloads from arbitrary URLs or archive extraction steps in the skill files.
⚠ 凭证需求
The code and SKILL.md require a TAVILY_API_KEY to function — that credential is proportionate to a web-search/crawl integration. However, the skill metadata does not list any required env vars nor a primary credential. That mismatch is problematic because automated permission or disclosure checks will not surface the need for an API key; the user may be unaware that secrets will be used by the skill.
✓ 持久化与权限
The skill does not request always:true or other elevated platform privileges. It does not attempt to modify other skills or system-wide settings. It runs as a normal, user-invoked script or via the Tavily client.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/12
# 更新日志 ## 开发者: 码道公社 ## [1.0.0] - 2026-03-12 ### Added - 初始版本发布 - 支持 5 种 Tavily API 模式: - 搜索 (search) - 提取 (extract) - 抓取 (crawl) - 映射 (map) - 研究 (research) - 提供命令行脚本 - API Key 错误提示 - AI 自动选择模式
● 无害
安装命令 点击复制
官方npx clawhub@latest install mdgs-tavily-search-skill
镜像加速npx clawhub@latest install mdgs-tavily-search-skill --registry https://cn.clawhub-mirror.com
技能文档
使用 Tavily API 进行网络搜索和信息提取。
快速开始
前置要求
首先安装依赖:
npm install @tavily/core
设置 API Key:
export TAVILY_API_KEY="tvly-your-api-key"
初始化客户端
const { tavily } = require("@tavily/core");const apiKey = process.env.TAVILY_API_KEY;
if (!apiKey) {
throw new Error("请配置 TAVILY_API_KEY 环境变量。访问 https://tavily.com 获取 API Key");
}
const tvly = tavily({ apiKey });
模式选择指南
AI 应根据任务类型自动选择合适的模式:
| 任务类型 | 推荐模式 | 说明 |
|---|---|---|
| 快速问答、信息检索 | search | 获取搜索结果和答案 |
| 获取特定网页内容 | extract | 提取单个 URL 的主要内容 |
| 批量抓取网站内容 | crawl | 抓取整个网站或多个页面 |
| 了解网站结构 | map | 获取网站的页面地图 |
| 深度研究主题 | research | 综合多个来源的深度研究 |
模式详解
1. 搜索网页 (search)
适用于:快速问答、信息检索、新闻搜索
const response = await tvly.search("Who is Leo Messi?");
console.log(response);
选项:
const response = await tvly.search("Python 教程", {
searchDepth: "basic", // "basic" 或 "advanced"
maxResults: 10,
includeAnswer: true,
includeRawContent: false,
includeImages: false
});
2. 提取网页 (extract)
适用于:获取特定网页的详细内容
const response = await tvly.extract("https://en.wikipedia.org/wiki/Artificial_intelligence");
console.log(response);
选项:
const response = await tvly.extract("https://example.com", {
includeImages: true
});
3. 抓取网页 (crawl)
适用于:批量抓取网站内容、深度内容获取
const response = await tvly.crawl("https://docs.tavily.com", {
instructions: "Find all pages on the Python SDK"
});
console.log(response);
选项:
const response = await tvly.crawl("https://example.com", {
instructions: "提取所有产品页面",
maxDepth: 2,
maxPages: 10
});
4. 绘制网页映射 (map)
适用于:了解网站结构、发现相关页面
const response = await tvly.map("https://docs.tavily.com");
console.log(response);
选项:
const response = await tvly.map("https://example.com", {
depth: 2,
maxPages: 20
});
5. 创建研究任务 (research)
适用于:深度研究、综合多来源分析
const response = await tvly.research("What are the latest developments in AI?");
console.log(response);
选项:
const response = await tvly.research("最新 AI 发展动态", {
depth: "extensive", // "basic" 或 "extensive"
maxSources: 10
});
使用脚本
项目提供了封装好的脚本:
搜索
node scripts/tavily.js search "搜索内容" [--depth basic|advanced] [--max-results N]
提取
node scripts/tavily.js extract "https://example.com"
抓取
node scripts/tavily.js crawl "https://example.com" --instructions "提取所有页面"
映射
node scripts/tavily.js map "https://example.com" [--depth N]
研究
node scripts/tavily.js research "研究主题" [--depth basic|extensive]
API Key 配置
重要: 使用此技能前必须配置 API Key。
- 访问 tavily.com 注册账号
- 获取 API Key
- 设置环境变量:
export TAVILY_API_KEY="tvly-your-actual-api-key"
或在脚本/代码中直接传入:
const tvly = tavily({ apiKey: "tvly-your-actual-api-key" });
响应格式
search response
{
"answer": "回答文本",
"results": [{ "title": "", "url": "", "content": "", "score": 0.95 }],
"images": []
}
extract response
{
"results": [{ "url": "", "content": "", "raw_content": "" }]
}
crawl response
{
"results": [{ "url": "", "content": "" }]
}
map response
{
"results": [{ "url": "", "title": "" }]
}
research response
{
"answer": "综合研究报告",
"findings": [{ "content": "", "sources": [] }]
}
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制