tavily-web

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly issues Tavily API calls (see SKILL.md payloads for "search", "extract", "crawl", "map", "research") and the tavily-api.cjs helper posts those payloads to https://api.tavily.com to fetch and extract content from arbitrary public URLs (e.g., "urls"/"url" fields and crawl instructions), meaning the agent will ingest untrusted, user-generated/open-web content as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's sub-skill makes runtime POST requests to the Tavily API at https://api.tavily.com to fetch arbitrary webpage content (including user-supplied URLs like those passed to the extract/crawl endpoints), and that fetched content is returned and can be injected into the agent context—therefore it can directly control prompts.