Web Search by Exa
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent instruction-only web search skill, but users should notice that it connects the agent to Exa’s remote MCP server and may use an optional Exa API key.
This skill appears benign and purpose-aligned for web search through Exa. Before installing, verify the MCP server URL, avoid putting secrets into search prompts, and protect any Exa API key you add to the configuration.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your agent can send web-search requests to the configured Exa MCP server and receive tool results from it.
The skill is instruction-only but asks the user to connect a remote MCP server. This is central to the stated purpose, but it makes the remote service endpoint part of the trust boundary.
openclaw mcp add exa --url "https://mcp.exa.ai/mcp"
Verify the MCP URL and Exa documentation before adding the server, especially because the registry source and homepage are not populated.
If you add an API key, the configured agent/server connection may be able to use your Exa account quota and enabled Exa tools.
The instructions describe an optional Exa API key in the MCP URL to unlock higher limits and tools. This is expected for an Exa integration, but it is still account-linked credential material.
https://mcp.exa.ai/mcp?exaApiKey=YOUR_EXA_KEY
Use a dedicated or least-privileged Exa API key if available, store it carefully, and rotate it if the MCP configuration is shared or exposed.
Search terms, URLs, and research prompts may be visible to Exa as part of normal operation.
The agent uses a remote MCP provider for search and retrieval. This is disclosed and purpose-aligned, but user queries and requested URLs may be sent to that external service.
MCP server: `https://mcp.exa.ai/mcp`
Avoid sending secrets or highly sensitive internal information in search queries unless you are comfortable with Exa processing that data.
A deep research task may continue running remotely after it is started and may consume API quota or return a larger report later.
The optional deep research tool starts an asynchronous provider-side research workflow. The behavior is clearly documented and aligned with the skill, but it can continue after the initial call until results are checked.
`deep_researcher_start` | Kick off an async multi-step research agent → detailed report
Start deep research only for tasks where you want an asynchronous multi-step investigation, and keep track of started jobs and quota usage.