Exa Search (Rust)
PassAudited by ClawScan on May 10, 2026.
Overview
This looks like a normal Exa web-search integration, but it uses an Exa API key, returns untrusted web content, and has a minor install-path mismatch to verify.
This skill appears safe to use for Exa-powered web search if you trust Exa and the provided Rust build. Before installing, set a revocable EXA_API_KEY, confirm the installed binary path matches the commands the agent will run, and remember that fetched web pages are untrusted content.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Exa API key is used to make search/content requests against your Exa account, which may expose your queries/URLs to Exa and may incur provider usage costs.
The skill sends the EXA_API_KEY to Exa as the authentication header for the intended provider API.
const EXA_BASE_URL: &str = "https://api.exa.ai"; ... headers.insert("x-api-key", api_key_val);Only install if you trust this Exa integration, keep ~/.openclaw/workspace/.env private, and use the least-privileged or revocable Exa key available.
Search results or fetched page text could contain instructions or links that should not override the user's request or the agent's safety rules.
The formatted output can include text fetched from external web pages, which may contain misleading content or prompt-injection-style instructions.
The `formatted` field is ready-to-use markdown — you can send it directly to the user.
Treat returned web content as untrusted evidence: summarize or quote it carefully, cite sources, and do not follow instructions embedded in fetched pages.
After installation, the documented command path may not point to the binary that was just built.
The installer places the binary under exa-search-rust, while the SKILL.md examples reference ~/.openclaw/workspace/skills/exa-search/bin/exa-search. That path mismatch could cause failures or accidental use of a different existing binary.
INSTALL_DIR="$HOME/.openclaw/workspace/skills/exa-search-rust"
Verify and align the installed path before use, or update the SKILL.md examples/installer so they reference the same directory.