ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Exa Company Research

v1.0.0

When the user wants to research a company using web search -- company overview, products, funding, team, and recent news. Also use when the user mentions 'co...

0· 125·0 current·0 all-time
byMario Karras@mariokarras
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes web-based company research via an 'Exa' CLI and reading an optional product-marketing-context file. That aligns with the stated purpose, but the skill assumes the presence of a local Node-based CLI (node tools/clis/exa.js) and an Exa service/backend without declaring those runtime requirements.
Instruction Scope
Instructions stay within the research task (search, fetch contents, synthesize). They explicitly tell the agent to read .agents/product-marketing-context.md (or .claude/...) if present — reasonable for context reuse but worth reviewing because those workspace files can contain sensitive internal details.
Install Mechanism
No install spec and no code files are present (instruction-only). That minimizes installer risk.
!
Credentials
The skill requests no env vars or credentials, yet it depends on an Exa CLI that almost certainly requires authentication and also invokes 'node'. The lack of declared runtime dependencies or credential requirements is an omission that reduces transparency and could hide prerequisites (API keys, tokens, or preconfigured client credentials) in the environment.
Persistence & Privilege
always is false and there is no install or code that persists beyond the agent's runtime. The skill does instruct reading workspace context files but does not request elevated or persistent privileges.
What to consider before installing
Before installing, confirm these points with the skill author or your ops team: - Ensure the runtime environment actually contains 'node' and the expected local CLI script at tools/clis/exa.js (or provide a declared dependency). If the CLI is missing the skill cannot run. - Ask how the Exa CLI authenticates: does it require an API key, config file, or environment variables? The skill does not declare any required credentials — verify where those secrets would be stored and whether they are appropriate to share with the agent. - Review any .agents/product-marketing-context.md or .claude/product-marketing-context.md files the skill would read for sensitive information before allowing the skill to access them. - If you do not want the agent running arbitrary local commands, do not enable autonomous invocation for untrusted skills and verify the toolchain in a sandbox first. If the author can supply a short runtime requirements list (node version, exa CLI location, and required auth variables) and confirm no hidden credential exfiltration, this skill would be coherent for its purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk977sxh06kh3crc1c7t4h8dvgh8359x0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments