Exa Web Search (Free)

Security checks across malware telemetry and agentic risk

Overview

This is a normal Exa web-search connector, with the main caveat that searches and optional advanced research tools use Exa's external service.

Install only if you are comfortable sending search terms and research inputs to Exa. Avoid secrets, private code, confidential business information, and sensitive personal data, and use the optional people-search, crawling, and deep researcher tools only where you have a legitimate and policy-compliant reason.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to send search queries and research inputs to the external Exa MCP service but does not clearly disclose that user-entered data leaves the local environment. This creates a privacy and data-handling risk because users may submit sensitive prompts, company research, or proprietary code/doc queries without realizing they are being transmitted to a third party.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The advanced tools section advertises crawling and people-search capabilities without warning about privacy, surveillance, or data-protection implications. Users may use these features to collect personal profile data or extract full page contents from third-party sites without understanding compliance, consent, or acceptable-use constraints.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal