ClawHub

Exa

v0.0.2

Neural web search and code context via Exa AI API. Requires EXA_API_KEY. Use for finding documentation, code examples, research papers, or company info.

4· 6.3k·42 current·47 all-time
by@fardeenxyz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The scripts call https://api.exa.ai endpoints with an EXA_API_KEY header, which is coherent with the stated purpose (neural web/code search). However the registry metadata in the manifest earlier lists no required environment variables or primary credential while SKILL.md and the scripts clearly require EXA_API_KEY — that mismatch is an engineering/metadata inconsistency. The skill also has no homepage and an opaque owner ID, which reduces ability to verify the provider.
!
Instruction Scope
SKILL.md and scripts instruct the agent to send arbitrary queries and arbitrary URLs to Exa's API. content.sh will package provided URLs and request 'text'/'highlights'/'summary' from the external API — any URL you pass (including intranet, private pages, or links containing tokens) will be transmitted off-host. The scripts also rely on external tools (jq, curl) but the manifest/requirements do not declare these binaries, so the runtime environment requirements are not fully documented.
Install Mechanism
No install spec (instruction-only with included scripts). Nothing is downloaded or extracted by the skill installer. This is low-risk from an install mechanism perspective.
Credentials
The only secret the skill needs is EXA_API_KEY, which is proportionate to calling an external API. That said, the registry initially reported 'no required env vars' which is inaccurate. Also, providing that API key to these scripts will expose it to outbound requests to api.exa.ai; using the key in shared environments or passing sensitive URLs could leak data.
Persistence & Privilege
The skill does not request permanent always:true inclusion and does not modify other skills or system-wide settings. It runs on demand and uses environment variables provided by the user.
What to consider before installing
Before installing or using this skill: 1) Verify the provider (there's no homepage and the owner is opaque). 2) Expect to need jq and curl on PATH (scripts use them) — the manifest does not list these. 3) The skill will transmit any query and any URL you pass to https://api.exa.ai along with your EXA_API_KEY — do not pass internal-only URLs, private endpoints, or links that include secrets/tokens. 4) Only use an API key you trust (consider a limited-scope or ephemeral key) and avoid exporting it in shared shells. 5) If you need to evaluate on sensitive data, test with non-sensitive examples first or run the scripts in an isolated environment. 6) Consider asking the publisher for a homepage, docs, and corrected registry metadata (declare EXA_API_KEY and required binaries) before wide deployment.

Like a lobster shell, security has layers — review code before you run it.

latestvk972w466q4wfdmzmsg0tf0v3hh7yqen8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
EnvEXA_API_KEY

Comments