Skip to content

Add Scavio tool node#6595

Open
scavio-ai wants to merge 4 commits into
FlowiseAI:mainfrom
scavio-ai:feat/scavio-tool-node
Open

Add Scavio tool node#6595
scavio-ai wants to merge 4 commits into
FlowiseAI:mainfrom
scavio-ai:feat/scavio-tool-node

Conversation

@scavio-ai

Copy link
Copy Markdown

Description

Adds a Scavio tool node under Tools, alongside the existing search nodes (Tavily, SerpAPI, Brave, Exa). Scavio is a real-time search API for AI agents (a unified API over Google, YouTube, Amazon, Walmart, Reddit, TikTok, and Instagram) that returns clean JSON.

The node returns a LangChain Tool that searches Google in real time and returns results (title, url, description) as JSON, so it plugs into any agent/chain that accepts a Tool. It follows the same structure as the existing TavilyAPI node.

Files

  • packages/components/nodes/tools/Scavio/Scavio.ts — the tool node
  • packages/components/nodes/tools/Scavio/scavio.svg — icon
  • packages/components/credentials/ScavioApi.credential.ts — API-key credential

How it works

  • User creates a Scavio API credential (API key from https://dashboard.scavio.dev).
  • The node calls the Scavio API with the key and returns structured results.

Docs: https://scavio.dev/docs

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new Scavio search tool and its corresponding credential configuration to enable real-time web searches. The feedback highlights a security concern regarding Server-Side Request Forgery (SSRF) due to the direct use of raw axios instead of the project's centralized secureAxiosRequest wrapper. Additionally, it is recommended to validate the presence of the Scavio API key during initialization to prevent silent runtime failures.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@@ -0,0 +1,188 @@
import axios from 'axios'

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

To prevent Server-Side Request Forgery (SSRF) vulnerabilities, Flowise uses a centralized HTTP security wrapper (httpSecurity.ts) that implements deny-list validation and IP pinning logic. Directly importing and invoking raw axios bypasses these SSRF mitigations entirely. Please use secureAxiosRequest from ../../../src/httpSecurity instead of raw axios.

Suggested change
import axios from 'axios'
import { secureAxiosRequest } from '../../../src/httpSecurity'

Comment on lines +50 to +55
const { data } = await axios.post('https://api.scavio.dev/api/v2/google', body, {
headers: {
'Content-Type': 'application/json',
Authorization: `Bearer ${this.apiKey}`
}
})

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

Use the secured secureAxiosRequest wrapper instead of raw axios to ensure that all outbound requests are properly validated against the SSRF deny-list.

            const { data } = await secureAxiosRequest({
                url: 'https://api.scavio.dev/api/v2/google',
                method: 'POST',
                data: body,
                headers: {
                    'Content-Type': 'application/json',
                    Authorization: 'Bearer ' + this.apiKey
                }
            })

Comment on lines +167 to +168
const scavioApiKey = getCredentialParam('scavioApiKey', credentialData, nodeData)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

It is recommended to validate that the scavioApiKey is present during the node's initialization. Throwing a clear error when the API key is missing prevents silent failures or confusing runtime errors when the tool is executed.

Suggested change
const scavioApiKey = getCredentialParam('scavioApiKey', credentialData, nodeData)
const scavioApiKey = getCredentialParam('scavioApiKey', credentialData, nodeData)
if (!scavioApiKey) {
throw new Error('Scavio API Key is missing. Please connect your Scavio API credential.')
}
References
  1. When a feature requires a specific configuration (e.g., an API key for a sandboxed environment), it is preferable to throw an error if the configuration is missing rather than silently falling back to a different implementation.

@scavio-ai

Copy link
Copy Markdown
Author

Thanks for the review. Addressed both points: the node now uses secureAxiosRequest from httpSecurity instead of raw axios, and init() throws a clear error when the API key is missing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant