ClawHub

Exa Research

v0.1.0

Use the local `exa` CLI to search the live web, ask grounded questions with citations, fetch page contents, find similar links, retrieve Exa code context, or...

1· 93·0 current·0 all-time
by@wkenya
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim: use the local `exa` CLI to perform live web research. Declared requirements: `exa` binary and EXA_API_KEY. Included wrapper script simply locates the exa binary and supplies an API key before exec'ing it. These are expected and proportional for the stated purpose.
Instruction Scope
SKILL.md instructs the agent to call the bundled wrapper with exa subcommands. The wrapper reads only the API key (from env or a single credential file path) and validates the exa binary. No instructions ask the agent to read unrelated files, secrets, or system state, nor to send data to unexpected endpoints.
Install Mechanism
This is an instruction-only skill with an included shell wrapper; there is no install script that downloads code from an external URL. The README instructs users to install Exa from its upstream repo. No risky remote downloads or archive extraction are present in the package.
Credentials
Only one credential is required (EXA_API_KEY), declared as primaryEnv. The wrapper supports a single credential file path and environment variable and documents them. The requested credential is consistent with Exa API usage and there are no unrelated secrets requested.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or system-wide settings. It runs only when invoked. The agent may invoke it autonomously by default (disable-model-invocation: false), which is standard; combined with the narrow credential scope this is not an excessive privilege.
Assessment
This package appears coherent: it wraps and runs your installed Exa CLI and reads a single Exa API key from an environment variable or a single credential file. Before installing, verify you trust the upstream Exa binary (install from the linked GitHub release), keep the API key file permissions restricted (chmod 600), and confirm EXA_BIN points to the intended executable. Because the wrapper execs the exa binary, if your exa binary were replaced by a malicious program it could misuse the API key — so prefer official Exa releases and check checksums when available. If you run agents that can invoke skills autonomously, be aware they could call this skill and use the configured EXA_API_KEY to query Exa; that behavior is expected but note it if you are concerned about automated API usage or billing.

Like a lobster shell, security has layers — review code before you run it.

latestvk978kgn9ey304d4bzfta2z7srd83bsst

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔎 Clawdis
Binsexa
EnvEXA_API_KEY
Primary envEXA_API_KEY

Comments