exa api

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Exa web search skill whose external API use and API-key requirement match its stated purpose, with normal privacy caution for sending searches and URLs to Exa.

Install only if you want your agent to use Exa for web search and content retrieval. Configure EXA_API_KEY in the tool or MCP layer, avoid submitting confidential queries or private URLs with sensitive tokens, strip unnecessary query parameters when possible, and keep any monitoring/cache state limited to the task.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to send user-supplied URLs to a third-party API (`POST /contents`) but does not warn that the URLs themselves will be transmitted off-platform. User-provided URLs can contain sensitive query parameters, private document links, internal hostnames, or bearer-style tokens, so silently forwarding them can leak confidential data and browsing intent to an external service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal