Back to skill

Security audit

Exa Web Search Nodeskai

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Exa web-search skill, but users should remember that searches and optional advanced research actions go to Exa's remote MCP service.

Install only if you are comfortable using Exa through mcporter. Avoid searching for secrets, internal-only URLs, confidential company terms, or sensitive personal data, and enable the exa-full advanced tools only when you specifically need crawling, people search, or long-running remote research.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises remote Exa MCP usage and explicitly configures a remote endpoint, but it does not warn users that their search queries and any retrieved content are transmitted to a third-party service. This creates a real privacy and data-handling risk because users may submit sensitive internal queries or proprietary research terms without understanding the external disclosure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The examples demonstrate commands that send user-supplied queries, company names, and URLs to external Exa-backed search, crawling, people-search, and deep-research services without any privacy, consent, or data-handling warning. In an agent skill context, users may paste sensitive terms, internal URLs, or personally identifying information into these examples, causing unintended external transmission and possible collection by third-party services.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
- `people_search_exa` - Professional profiles
- `deep_researcher_start/check` - AI research agent

**Enable all tools:**
```bash
mcporter config add exa-full "https://mcp.exa.ai/mcp?tools=web_search_exa,web_search_advanced_exa,get_code_context_exa,deep_search_exa,crawling_exa,company_research_exa,people_search_exa,deep_researcher_start,deep_researcher_check"
Confidence
88% confidence
Finding
tools:*

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
- `people_search_exa` - Professional profiles
- `deep_researcher_start/check` - AI research agent

**Enable all tools:**
```bash
mcporter config add exa-full "https://mcp.exa.ai/mcp?tools=web_search_exa,web_search_advanced_exa,get_code_context_exa,deep_search_exa,crawling_exa,company_research_exa,people_search_exa,deep_researcher_start,deep_researcher_check"
Confidence
88% confidence
Finding
Enable all tools

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.