tavily-mcp
tavily-ai/tavily-mcpProduction ready MCP server with real-time search, extract, map & crawl.
Verified publisher — Tavily
This package is from Tavily, a verified publisher. Search API — needs API keys by design. The findings below are expected for this type of tool — for example, a payment SDK will read API keys, and a browser tool will use child_process. These patterns are normal for a verified publisher, not signs of malice.
What We Found(1 issue)
Each card explains what was found and what it means in plain English. Click "Technical details" for the full breakdown.
Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.
Technical details
Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.
process.env.TAVILY_API_KEYFinding Summary
0
Critical
1
High
0
Medium
0
Low
0
Info