exa
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill recommends installing the
@membranehq/clipackage globally via npm. This is a legitimate utility provided by the vendor (Membrane) to manage integrations and authentication. - [COMMAND_EXECUTION]: The skill instructions involve executing
membraneCLI commands to perform authentication, search for API actions, and execute requests. These commands are restricted to the functionality of the Membrane platform and do not involve arbitrary system command execution. - [INDIRECT_PROMPT_INJECTION]: As an integration with a search engine (Exa), the agent will ingest untrusted third-party content from the web. While this constitutes a potential surface for indirect prompt injection, it is a risk inherent to the search functionality itself rather than a vulnerability in the skill's code. The skill relies on Membrane's infrastructure for proxied requests.
Audit Metadata