Multi-engine web search with full parameter control. Supports Tavily, Exa, Serper, and SerpAPI with domain filtering, date ranges, deep search, news mode, an...
Security Analysis
high confidenceThe skill mostly does what it claims (multi-engine web search) but metadata and privileges are inconsistent with its code and purpose (unnecessary required primary API key and always: true), so review before enabling.
The scripts implement four engines (Tavily, Exa, Serper, SerpAPI) and explicitly support running with any one of those provider keys. However the registry metadata declares TAVILY_API_KEY as a required environment variable / primary credential. Requiring Tavily for onboarding is disproportionate: the code will work with EXA/SERPER/SERPAPI keys alone but the manifest forces Tavily to be present.
SKILL.md and the CLI scripts only instruct running the included Node scripts and configuring API keys (TAVILY_API_KEY, EXA_API_KEY, SERPER_API_KEY, SERPAPI_API_KEY). The runtime instructions do not ask the agent to read unrelated files, system credentials, or transmit arbitrary local data. Network calls are limited to the documented search/extract API endpoints.
There is no install spec — the package is effectively distributed as source scripts and README/SKILL.md. No remote downloads or archive extraction are performed by the skill itself. The requirement of the 'node' binary is appropriate for the provided .mjs scripts.
The manifest forces TAVILY_API_KEY as required/primary even though other provider keys are optional in the README and the code supports operating with EXA/SERPER/SERPAPI. The skill will also read EXA_API_KEY, SERPER_API_KEY, and SERPAPI_API_KEY from the environment if present, but those are not listed as required in the registry metadata. This mismatch can lead to unnecessary exposure of a Tavily key or prevent using non-Tavily engines when Tavily is unavailable.
Metadata sets always: true. That forces the skill to be included in every agent run, increasing its blast radius because it can be invoked autonomously. There is no clear justification in SKILL.md for always: true — the skill provides optional search features and should not normally require forced global presence.
Guidance
What to consider before installing: - The code appears to match the description: it calls only the documented search/extract APIs (tavily, exa, serper, serpapi) and does not attempt to read other local secrets or unusual files. - The registry metadata is inconsistent: it marks TAVILY_API_KEY as required/primary even though the scripts can run with other providers. That may unnecessarily require you to provide a Tavily key to enable the skill. Ask the maintainer to make Tavily optional or the manifest to accept any one provider key. - always: true is set. That gives the skill forced presence in every agent run and increases risk if a key is compromised. Prefer not to enable skills with always: true unless you trust the publisher and need continuous availability. - API keys you provide will be sent to external services. Only supply keys with appropriate least-privilege and billing controls, and avoid sharing high-privilege or org-wide secrets. - If you plan to use only Exa/Serper/SerpAPI, test locally by setting only those env vars to confirm behavior; request the publisher correct the manifest to avoid forcing Tavily. Overall: the skill is functionally coherent but has manifest/privilege mismatches that warrant fixing or careful review before broad deployment.
Latest Release
v1.0.1
metadata clarity and validation hardening
More by @Zjianru
Published by @Zjianru on ClawHub
