Exa Search
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill must provide an Exa API key, and searches may consume that account's quota or billing.
The script uses the user's Exa API key as delegated authority for Exa API calls. This is expected for the stated purpose and is not shown being logged, hardcoded, or sent elsewhere.
const apiKey = process.env.EXA_API_KEY; ... "x-api-key": apiKey
Store the key securely, use an appropriately scoped Exa key if available, and revoke or rotate it if you stop using the skill.
Search terms, and optionally requested page text/highlight options, are processed by Exa.
The script sends the search query and options to Exa's API. The destination is disclosed and purpose-aligned, but user queries leave the local environment.
await fetch("https://api.exa.ai/search", { method: "POST", ... body: JSON.stringify(body) })Avoid sending sensitive private information in search queries unless you are comfortable with Exa processing it.