Security audit

Exa Cli

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Exa web-search CLI helper, with expected token and network use, but users should handle the API token and installer commands carefully.

Install only if you are comfortable running the disclosed third-party CLI installer commands and sending your Exa searches, URLs, and content requests to Exa. Use a revocable Exa API token, avoid pasting secrets into shared logs or transcripts, and avoid submitting sensitive proprietary data unless it is appropriate to share with Exa.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The authentication section instructs users to set an API token but provides no warning about secure handling, shell history exposure, or avoiding hardcoding/secrets leakage. In an agent skill context, this can lead to accidental credential disclosure in logs, transcripts, process lists, or shared environments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.