Web Search by Exa
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: web-search-exa Version: 2.0.0 The skill bundle is a legitimate integration for the Exa neural web search engine via the Model Context Protocol (MCP). The documentation in SKILL.md correctly describes web search, content extraction, and research capabilities using the official Exa MCP server (mcp.exa.ai), with no evidence of malicious instructions, data exfiltration, or unauthorized execution logic.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your agent can send web-search requests to the configured Exa MCP server and receive tool results from it.
The skill is instruction-only but asks the user to connect a remote MCP server. This is central to the stated purpose, but it makes the remote service endpoint part of the trust boundary.
openclaw mcp add exa --url "https://mcp.exa.ai/mcp"
Verify the MCP URL and Exa documentation before adding the server, especially because the registry source and homepage are not populated.
If you add an API key, the configured agent/server connection may be able to use your Exa account quota and enabled Exa tools.
The instructions describe an optional Exa API key in the MCP URL to unlock higher limits and tools. This is expected for an Exa integration, but it is still account-linked credential material.
https://mcp.exa.ai/mcp?exaApiKey=YOUR_EXA_KEY
Use a dedicated or least-privileged Exa API key if available, store it carefully, and rotate it if the MCP configuration is shared or exposed.
Search terms, URLs, and research prompts may be visible to Exa as part of normal operation.
The agent uses a remote MCP provider for search and retrieval. This is disclosed and purpose-aligned, but user queries and requested URLs may be sent to that external service.
MCP server: `https://mcp.exa.ai/mcp`
Avoid sending secrets or highly sensitive internal information in search queries unless you are comfortable with Exa processing that data.
A deep research task may continue running remotely after it is started and may consume API quota or return a larger report later.
The optional deep research tool starts an asynchronous provider-side research workflow. The behavior is clearly documented and aligned with the skill, but it can continue after the initial call until results are checked.
`deep_researcher_start` | Kick off an async multi-step research agent → detailed report
Start deep research only for tasks where you want an asynchronous multi-step investigation, and keep track of started jobs and quota usage.