Skills
skills/family3253/skill/tavily-extract/Gen Agent Trust Hub

tavily-extract

Warn

Audited by Gen Agent Trust Hub on Mar 15, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The script scripts/extract.sh uses npx -y mcp-remote, which dynamically downloads a package from the npm registry during execution.
  • [REMOTE_CODE_EXECUTION]: Executing mcp-remote via npx involves running code fetched from a remote repository at runtime to handle the OAuth flow.
  • [COMMAND_EXECUTION]: The script performs subprocess execution of curl, jq, npx, and find to perform operations, file searches, and network requests.
  • [DATA_EXFILTRATION]: The script accesses the user's home directory at ~/.mcp-auth/ to locate sensitive authentication tokens and transmits discovered tokens to the external endpoint https://mcp.tavily.com/mcp.
  • [PROMPT_INJECTION]: The skill processes content from arbitrary external URLs, creating a surface for indirect prompt injection attacks.
  • Ingestion points: The urls array in the JSON input passed to scripts/extract.sh.
  • Boundary markers: No specific delimiters or "ignore instructions" warnings are applied to the extracted web content before it is returned to the agent.
  • Capability inventory: The script has the capability to read local files (~/.mcp-auth/) and make network requests (curl, npx).
  • Sanitization: No sanitization, escaping, or filtering is performed on the content retrieved from external web pages.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 15, 2026, 08:18 AM
Security Audit — agent-trust-hub — tavily-extract