Exa
Security checks across malware telemetry and agentic risk
Overview
This appears to be a coherent Exa search integration that uses an Exa API key and sends user-provided queries or URLs to Exa, with no evidence of hidden persistence, destructive actions, or unrelated data access.
This skill looks safe for its stated purpose. Before installing, make sure you trust Exa with the searches or URLs you submit, keep EXA_API_KEY secure, and confirm jq and curl are installed from trusted sources.
VirusTotal
63/63 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill requires an Exa API key, which may have account quota, billing, or service-access implications if exposed.
The script authenticates to the Exa API using the user's EXA_API_KEY. This is expected for the stated Exa integration, but the key is still a credential.
-H "x-api-key: $EXA_API_KEY"
Store the key securely, avoid sharing logs or shell history that might contain it, and rotate the key if it is exposed.
Queries and URLs submitted through the skill may be visible to Exa's service.
The content helper posts user-supplied URLs to Exa for retrieval and summarization. This is purpose-aligned, but it is an external provider data flow.
curl -s -X POST 'https://api.exa.ai/contents' ... -d "$PAYLOAD"
Do not submit secrets, private URLs, or confidential research queries unless you are comfortable sending them to Exa.
The skill may fail or behave differently depending on the local jq/curl versions available.
The scripts rely on local jq and curl, while the provided requirements list no required binaries. This is an incomplete dependency declaration, not evidence of hidden install behavior.
PAYLOAD=$(jq -n ...) curl -s -X POST 'https://api.exa.ai/search'
Ensure jq and curl are installed from trusted sources before using the scripts.