ClawHub

Exa Search

v1.0.0

Use Exa (exa.ai) Search API to search the web and return structured results (title/url/snippet/text) via a local Node script. Trigger when the user asks to enable Exa search, configure Exa API key, or perform web search using Exa.

1· 4.4k·62 current·66 all-time
by@xinhai-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: the script issues a POST to https://api.exa.ai/search and requires node + EXA_API_KEY. The required binary and primary credential are appropriate and proportional for a search integration.
Instruction Scope
SKILL.md instructs running the bundled Node script and only references the EXA_API_KEY. The doc suggests storing the key in the Gateway environment or ~/.openclaw/.env; the script itself only reads process.env.EXA_API_KEY and does not read files. Minor inconsistency: registry lists no required config paths but the README recommends ~/.openclaw/.env as a storage location.
Install Mechanism
No install spec or remote downloads are present — the skill is instruction + a local script. No third-party packages are being pulled at install time, so disk-write/remote-code risks are low.
Credentials
Only EXA_API_KEY is requested and declared as primaryEnv. No unrelated secrets or multiple credentials are required. The script uses the key solely to call the Exa API.
Persistence & Privilege
always:false and no behavior that modifies other skills or system-wide config. The skill does not request persistent elevated privileges.
Assessment
This skill appears coherent and limited to calling Exa's search endpoint. Before installing: (1) confirm you trust exa.ai and the endpoint URL; (2) limit the EXA_API_KEY permissions and rotate it if possible; (3) prefer setting the key in the Gateway environment rather than dropping it in a plain file like ~/.openclaw/.env; (4) be aware the script can return full page text if you enable --text (that may reveal sensitive content); and (5) because the bundle contains a runnable script, review it yourself (it only calls the Exa API and prints JSON). If you need stronger assurance, ask the publisher for a homepage/source or a signed release.

Like a lobster shell, security has layers — review code before you run it.

latestvk9703kd8w1ekc6xe0mmjesh06x80g13v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔎 Clawdis
Binsnode
EnvEXA_API_KEY
Primary envEXA_API_KEY

Comments