ClawHub
Back to skill

Security audit

91 Exa Web Search Free

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Exa search integration, but users should remember that searches, URLs, company names, and people-search queries go to an external service.

Install only if you are comfortable using Exa through mcporter for external searches. Avoid submitting secrets, private source code, internal-only URLs, customer records, regulated data, or sensitive personal information, and use the optional people_search, crawling, and deep_researcher tools only where you have appropriate permission and compliance clearance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to send search queries to the external Exa MCP endpoint but does not disclose that entered queries, code lookups, or research terms leave the local environment. This can lead users to submit sensitive internal information, credentials, incident details, or proprietary code under the mistaken assumption that the tool is local-only.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation enables people-profile search functionality without any warning about privacy, acceptable use, or legal/compliance constraints. That omission can encourage collection or enrichment of personal data about individuals without user awareness of privacy risks, policy restrictions, or jurisdiction-specific requirements.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The examples encourage use of web search, crawling, people search, and deep research features that inherently send user-provided queries or URLs to external services, but the documentation does not warn users about network egress, third-party processing, or privacy implications. In a skill centered on remote search, this is expected functionality rather than overtly malicious behavior, but the lack of disclosure can still lead users to unintentionally transmit sensitive data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal