tavily
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill ingests untrusted content from the Tavily search API, introducing a surface for indirect prompt injection where malicious data from external websites could attempt to influence the agent's behavior.
- Ingestion points: Search results and summaries are fetched from
https://api.tavily.com/searchinscripts/tavily_search.py. - Boundary markers: The skill does not implement delimiters or specific instructions to the agent to treat search results as untrusted content.
- Capability inventory: The skill possesses network access for API communication and read access to the local filesystem for credential loading.
- Sanitization: No sanitization or filtering of the retrieved web snippets is performed before they are returned to the agent.
- [DATA_EXFILTRATION]: The skill reads sensitive credential information from a local file path (
.secrets/tavily.key). While this data is sent only to the legitimate Tavily API endpoint, accessing sensitive files on the host system is a high-privilege activity. - [COMMAND_EXECUTION]: The execution command defined in
SKILL.mduses string interpolation to insert the user's query directly into a shell command:python3 {baseDir}/scripts/tavily_search.py --query "<user query>". This pattern is vulnerable to command injection if the agent framework executes the command through a shell without properly sanitizing metacharacters in the query string.
Audit Metadata