exa-tools
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (MEDIUM): The skill retrieves external web content through the Exa AI API. Malicious actors could place instructions on web pages to influence the agent's behavior when these pages are returned in search results.
- Ingestion points: Results returned from the
.claude/skills/exa-tools/scripts/exa.pysearch command. - Boundary markers: Absent. The skill definition does not specify delimiters to wrap or isolate the untrusted search results.
- Capability inventory: The agent processes these results to provide context, which may influence downstream decision-making or reasoning.
- Sanitization: No sanitization or filtering of the retrieved content is mentioned.
- [Command Execution] (LOW): The skill relies on the execution of a local Python script using the
uvrunner. - Evidence:
uv run .claude/skills/exa-tools/scripts/exa.pyis invoked to perform searches. While the script path is local, the execution of arbitrary search queries via a sub-process is a functional necessity that carries baseline risk.
Audit Metadata