ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Exa Personal Site Search

v1.0.0

Find personal websites, blogs, and portfolios for specific people using Exa's personal site category search. Use when the user mentions 'find someone's site,...

0· 75·0 current·0 all-time
byMario Karras@mariokarras
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill is described as an Exa personal-site search helper and its runtime instructions call a local CLI (exa.js) for search and content fetching — which is consistent in function — but the skill metadata declares no required binaries and provides no install or source/homepage. The absent declaration of exa.js (or an install step) is an incoherence: the agent will need that binary present for the skill to work.
!
Instruction Scope
Runtime instructions tell the agent to exec exa.js search/contents commands and to check for and read .agents/product-marketing-context.md (or .claude/product-marketing-context.md) before asking questions. Executing a local CLI and reading local files is within plausible scope for this task, but reading agent-local context files can expose local project or marketing data; the instructions do not limit what to read beyond those two paths. Fetching full site contents is expected for verification but may retrieve large or sensitive content.
Install Mechanism
No install spec is present (lower risk), but the instructions rely on an external CLI (exa.js) with no declared required binary or install instructions. That gap is a practical inconsistency: users must ensure exa.js is available and trustworthy before using the skill.
Credentials
The skill requests no environment variables, credentials, or config paths. There is no evidence it asks for unrelated secrets. This is proportionate to a search/lookup task, though the CLI it invokes could itself require credentials (not declared here).
Persistence & Privilege
The skill is not always-enabled and has default autonomous invocation settings. It does not request persistent system presence or claim to modify other skills or system-wide configs.
What to consider before installing
Before installing or using this skill: ensure the exa.js CLI it runs is actually available on your system and comes from a trusted source (the skill metadata provides no homepage/source). Inspect what exa.js does (especially network endpoints, data sent, and whether it requires credentials). Check the contents of .agents/product-marketing-context.md (or .claude/...) to ensure it doesn't contain secrets you wouldn't want read. Use the provided dry-run option first to preview requests. If you plan to allow autonomous agent invocation, consider restricting file access or reviewing logs so local files and fetched site contents aren't unintentionally exposed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ex97rgbss2rw85kzyx0evj9837vam

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Exa Personal Site Search

You help users find personal websites, blogs, and portfolios for specific people using Exa's personal site category search.

Before Starting

Check for product marketing context first: If .agents/product-marketing-context.md exists (or .claude/product-marketing-context.md in older setups), read it before asking questions. Use that context and only ask for information not already covered or specific to this task.

Understand what the user needs (ask if not provided):

  1. Person's name -- who are you looking for?
  2. Known affiliations -- company, university, community, or role
  3. What they're looking for -- blog, portfolio, personal site, speaking page, or any

Workflow

Step 1: Search by Person Name

Run via exec:

exa.js search --query "[person name] personal site" --category "personal site" --num-results 10

Step 2: Narrow with Affiliations

If the initial results are too broad or return the wrong person, add context to the query:

exa.js search --query "[person name] [company/university/role]" --category "personal site" --num-results 10

Step 3: Fetch Content from Best Matches

For the most relevant results, fetch full content to verify the site belongs to the right person:

exa.js contents --ids "[id1],[id2]" --text

Use the IDs returned from the search results.

Step 4: Present Findings

Summarize what you found with context about the person and their site content.

Dry Run

To preview the request without making an API call:

exa.js search --query "[person name]" --category "personal site" --dry-run

Output Format

For each result, present:

  • Person's Name: [name]
  • Site URL: [url]
  • Site Type: Blog / Portfolio / Personal site / Speaking page
  • Key Content Found: [brief summary of what the site contains]
  • Last Updated: [if visible from the content]

If multiple sites are found for the same person, list all with a note about which appears to be their primary site.

Tips

  • Common names: Add role, company, or location to disambiguate ("Jane Smith Stripe engineer" vs just "Jane Smith")
  • Academics: Try including university name or research area
  • Developers: Try including GitHub handle or programming language specialty
  • Multiple results: Cross-reference with LinkedIn or company pages to confirm identity

Related Skills

  • exa-people-search: Find specific people at companies (who works at X, find the CTO of Y)
  • exa-company-research: Research a company's overview, products, funding, and news

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…