exa-search

The skill aligns with its stated purpose of semantic search and content discovery via the Exa API, but its footprint raises security concerns. The primary red flags are the use of an unverifiable, external GitHub-based installation method (npx from a user repository) which constitutes a supply-chain risk and potential remote code execution risk. Additionally, API key handling is described but not elaborated with secure handling practices, visibility safeguards, or rotation. While the data flow to Exa API is appropriate for its function, proper credentials management, audit logging controls, and a verified install source are essential to reduce risk. Overall, the skill should be treated as SUSPICIOUS with a high concern for supply-chain risk and credential exposure until provenance and security controls are verified.