ClawHub

Exa tools

v1.0.0

Use when tasks need Exa MCP for web or people research, or when preparing Exa MCP server configuration with a fixed tool set. Trigger for requests to run Exa...

0· 617·3 current·3 all-time
byStojoc Vladimir@tokyo-s
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and references describe using a hosted Exa MCP endpoint that requires an EXA_API_KEY, but the skill metadata does not declare any required environment variables or primary credential. That mismatch between what the skill says it needs (an API key) and what is declared is an incoherence worth flagging.
Instruction Scope
Instructions are narrowly scoped to picking one of three Exa tools and returning concise findings with links. They recommend preferring a hosted endpoint (https://mcp.exa.ai) and say to obtain an API key when rate-limited, but they do not instruct reading unrelated files or system credentials. The people-search capability can surface personal data — the instructions do not call out consent/PII handling.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes on-disk execution risk.
!
Credentials
The references file contains URL templates that embed ${EXA_API_KEY} in a query parameter (https://mcp.exa.ai/mcp?exaApiKey=${EXA_API_KEY}&tools=...), but requires.env is empty. Two issues: (1) the skill implicitly expects an API key but does not declare it, and (2) recommending the API key in a query string is insecure (keys in URLs can leak via logs/referrers). No other credentials are requested, which is proportionate if the EXA_API_KEY is the only missing item — but it should be declared and handled more safely.
Persistence & Privilege
always is false, the skill is user-invocable and can be called autonomously (platform default). There is no install step or config modification that would give it persistent elevated privileges.
What to consider before installing
This skill appears to do what it says (run Exa MCP web/people searches) but has gaps you should resolve before trusting it: 1) The repo references an EXA_API_KEY but the skill metadata doesn't declare it — ask the publisher how the API key should be provided and stored. 2) The examples put the API key in the URL query string (exaApiKey=...), which risks leaking the key via logs or referrers; prefer header-based auth or a documented secure method. 3) The skill performs people-searches — consider privacy/consent and limit queries to what you are authorized to request. 4) There is no publisher homepage or provenance information; if you don't already trust mcp.exa.ai and the skill author, request more details (official docs, who maintains the endpoint). If you proceed, use a restricted API key with minimal scope, avoid reusing high-privilege credentials, and prefer that the skill declare required env vars explicitly.

Like a lobster shell, security has layers — review code before you run it.

latestvk97016j07aqwpgq79w5cggyy4d81gv3g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments