Exa Search

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Exa web-search helper with expected network and API-key use, but users should avoid sending sensitive queries or internal URLs.

Install only if you intend to use Exa for web search and extraction and are comfortable providing an EXA_API_KEY. Do not use it with confidential prompts, private/internal URLs, regulated data, or broad crawling unless you have permission and have set narrow result, domain, and freshness limits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill description advertises semantic search, web scraping, and content extraction, but it does not warn that user prompts, URLs, and retrieved content may be transmitted to third-party Exa infrastructure and other external sites. In agent settings, this can lead to unintended disclosure of sensitive research targets or user-provided data because operators are not given enough information to make an informed consent decision.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The examples recommend live crawling (`max_age_hours=0`) and subpage extraction across a site without warning about bulk request behavior, rate considerations, or potential impact on third-party services. In an autonomous agent context, this can amplify traffic unexpectedly and cause accidental over-collection, abuse complaints, or interaction with sites the user did not intend to contact.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal