Exa
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Exa search integration that uses an Exa API key and sends search requests to Exa as expected.
This skill appears safe for its stated purpose. Before installing, be aware that it needs your Exa API key and will send search queries or content-extraction URLs to Exa; avoid entering confidential data, protect the credential file, and verify the source if provenance matters to you.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Exa API key may be used for searches and could affect your Exa account quota or billing if exposed.
The script reads a locally stored Exa API key and sends it as the Exa authentication header. This is expected for the service, but it is credential use that users should notice, especially because registry metadata lists no primary credential.
CONFIG_FILE="$HOME/.clawdbot/credentials/exa/config.json" ... EXA_API_KEY=$(jq -r '.apiKey' "$CONFIG_FILE") ... -H "x-api-key: $EXA_API_KEY"
Use a dedicated Exa key if possible, protect the credential file, and rotate the key if it is ever shared or exposed.
Search terms and related parameters leave the local environment and are processed by Exa.
User-provided search terms and options are placed in an API payload and sent to Exa. This third-party data flow is central to the skill's purpose and is not hidden.
QUERY="$1" ... curl -s -X POST 'https://api.exa.ai/search' ... -d "$PAYLOAD"
Do not include passwords, tokens, private documents, or sensitive personal information in search queries or URL extraction requests unless you are comfortable sending them to Exa.
It is harder to independently verify the publisher or upstream project from the registry metadata alone.
The registry metadata does not provide a source repository or homepage. The included scripts are small and visible, and no remote installer is specified, so this is a provenance note rather than a behavioral concern.
Source: unknown; Homepage: none
Verify that the skill owner and Exa API endpoint are what you expect before adding an API key.