Exa
PassAudited by ClawScan on May 1, 2026.
Overview
This Exa skill is purpose-aligned, but users should know it uses an Exa API key and sends search or research inputs, and optionally a schema file, to Exa’s API.
This skill appears safe for its intended Exa search and research use. Before installing, make sure you trust the unknown-source package enough to provide an Exa API key, and avoid sending secrets or confidential local files through queries, research instructions, URLs, or SCHEMA_FILE.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can act using the user’s Exa API key and may consume the user’s Exa account quota or access permissions.
The skill reads an Exa API key from the environment or a nearby .env file. This credential use is expected for the Exa integration and is limited to EXA_API_KEY.
grep -E '^(export[[:space:]]+)?EXA_API_KEY=' "$_env_file" ... export EXA_API_KEY="$_val"
Use a dedicated Exa API key if possible, keep it out of shared files, and revoke or rotate it if the skill is no longer used.
Search queries, URLs, research instructions, and related payload data may be transmitted to Exa.
Research instructions and optional structured-output schema data are sent to Exa’s external API endpoint. This is central to the skill’s purpose and is disclosed.
curl -s -X POST 'https://api.exa.ai/research/v1' ... -H "x-api-key: $EXA_API_KEY" ... -d "$PAYLOAD"
Do not include secrets, private documents, or confidential business information in queries, research instructions, URLs, or schema files unless you intend to share them with Exa.
If a user or agent points SCHEMA_FILE at a confidential JSON file, its contents could be uploaded to Exa.
A user-selected local JSON schema file can be read and included in the Exa research request. The script blocks obvious secret-file suffixes and enforces a size limit, but users still need to choose the file carefully.
OUTPUT_SCHEMA_JSON="$(jq -c '.' "$SCHEMA_FILE")" ... '{ instructions: $instructions, model: $model, outputSchema: $outputSchema }'Only set SCHEMA_FILE to a dedicated non-sensitive JSON schema file and review the path before running research commands.
Users have less provenance information about who maintains the skill or where updates originate.
The registry data does not identify a source repository or package provenance, although the supplied scripts are included for review and no remote installer is shown.
Source: unknown
Prefer installing from trusted publishers or verify the included scripts before use, especially before providing an API key.