Exa Research Papers

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Exa academic-paper search helper with minor privacy and dependency notes.

Before installing, confirm that exa.js is a trusted CLI in your environment, avoid putting confidential details into research queries, and review any product-marketing context files because their contents may influence searches or summaries.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The skill explicitly instructs the agent to read a local `.agents/product-marketing-context.md` or `.claude/product-marketing-context.md` file before interacting with the user, without disclosure or consent. This creates a prompt-scope and data-exposure risk because local project files may contain sensitive internal strategy, roadmap, or proprietary business context that can silently influence outputs or be surfaced back to the user.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal