Exa Cli
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is aligned with using Exa for web search, but users should notice that setup installs third-party CLI tooling and stores an Exa API token.
Before installing, verify the Exa CLI source and installer commands, be comfortable with the PATH change, and use a limited, revocable Exa API token. The documented behavior otherwise matches an Exa web-search CLI skill.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may run third-party setup code and modify the local CLI environment.
The setup depends on external, unpinned installer commands, including a remote shell installer. This is purpose-aligned for a CLI skill but should be verified before running.
npx api2cli install Melvynx/exa-cli ... bun --version || curl -fsSL https://bun.sh/install | bash
Review the referenced repositories/tools before running setup, prefer pinned or trusted install sources where possible, and avoid running curl-to-bash installers in sensitive environments.
The configured CLI may use the user's Exa account access and quota for searches, contents, answers, and context requests.
The skill asks the user to configure an Exa API token. This is expected for Exa API use, and the artifacts do not show token logging, hardcoding, or unrelated credential use.
exa-cli auth set "your-token" exa-cli auth test
Use a revocable Exa token with the minimum needed permissions, and rotate it if the local environment or installed CLI becomes untrusted.
The user's command environment may be changed so the installed CLI is found in future commands.
The setup/build/link flow can execute local tooling and persistently alter PATH. This is disclosed and aligned with making the CLI available, but it affects the user's shell environment.
npx api2cli bundle exa npx api2cli link exa `api2cli link` adds `~/.local/bin` to PATH automatically.
Confirm PATH changes are acceptable before setup and remove the linked binary or PATH entry if the CLI is no longer wanted.