ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Exa Search (Rust)

v1.0.3

Neural web search, similar-page discovery, and URL content fetching via the Exa AI search engine. USE WHEN: user asks to search the web, find articles/repos/...

0· 425·5 current·5 all-time
by@prompt-surfer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: the Rust binary implements search, find_similar, and get_contents and talks to https://api.exa.ai. Requiring EXA_API_KEY and cargo/bash for a one-time build is proportionate.
Instruction Scope
Runtime instructions stick to the stated purpose (build/run the binary, read EXA_API_KEY from ~/.openclaw/workspace/.env, pass JSON via stdin). Minor issues: SKILL.md and README reference the install path ~/.openclaw/.../skills/exa-search/bin/exa-search while install.sh copies to ~/.openclaw/.../skills/exa-search-rust/bin/exa-search — this path/name mismatch may cause confusion or broken example commands but does not indicate malicious behavior.
Install Mechanism
Installer is a local install.sh that invokes `cargo build --release` on included Rust source and copies the resulting binary into the workspace. No external arbitrary downloads or URL-extraction steps; upstream crates will be fetched from crates.io via cargo (expected).
Credentials
Only EXA_API_KEY is required/declared (primaryEnv). The SKILL.md helpers read the EXA_API_KEY line from ~/.openclaw/workspace/.env (they only grep for EXA_API_KEY=). The binary validates the key format and does not access other environment variables or sensitive system paths.
Persistence & Privilege
The skill is not always-enabled and can be invoked by the user. install.sh writes files under the user's ~/.openclaw/workspace/skills/ directory (its own skill dir) — standard behavior for a skill installation and not an elevation of privilege or modification of other skills' configs.
Assessment
This package appears to be what it claims: a native Exa AI search client that requires one API key. Before installing: 1) Inspect install.sh (it builds the included Rust source with cargo and copies the binary to your OpenClaw workspace). Note the example commands reference a directory named `exa-search` but install.sh uses `exa-search-rust` — confirm/install path and adjust commands. 2) Only provide EXA_API_KEY (store it in ~/.openclaw/workspace/.env as instructed). 3) Building uses cargo which will fetch crates from crates.io — if you have policies about third-party crates, audit Cargo.toml. 4) Confirm you trust the Exa API endpoint (api.exa.ai) and treat the API key as a secret: use least-privilege keys and monitor usage. If you want higher assurance, run the build in an isolated environment or review the compiled binary before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk970m6zxwsvts39qjcp8ry4jex81y4qw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binsbash, cargo
EnvEXA_API_KEY
Primary envEXA_API_KEY

Comments