tavily-api-expert

skills-sh:tavily-ai_tavily-plugins__tavily-api-expert

View source

100/100

First Seen

Feb 18, 2026

Last Scanned

Feb 20, 2026

Findings

Score

100/100

LOW 2

Findings (2)

LOW

Hardcoded secrets in MCP env block MCPCFG_003

mcp-config L21

Detects hardcoded API keys, tokens, or passwords in MCP server environment configuration

"env"
:
{ + "TAVILY_API_KEY"
:
"tvly-your-api-key-here"

FIX

Remove shell metacharacters (semicolons, pipes, ampersands, backticks) from MCP server arguments. Use explicit argument arrays and avoid shell expansion in MCP configurations.

FP?

Likely FP if the metacharacter is a literal part of a non-shell argument (e.g., a regex pattern or a URL query parameter containing ampersands).

LOW

pip install arbitrary package EXTDL_009

external-download L32

Detects pip install of arbitrary packages that modify the host environment

pip
install
ta

FIX

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

FP?

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.