exa-upgrade-migration

SUSPICIOUS. The skill’s overall purpose is coherent, and its permissions are proportionate, but the core upgrade target appears inconsistent with official Exa SDK evidence: it references `@exa/sdk` and `github.com/exa/sdk/releases` while the identified official JS SDK is `exa-js` under `exa-labs/exa-js`. This looks more like inaccurate or misleading upgrade guidance than confirmed malware, but it creates real supply-chain and package-selection risk.