exa-search
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructions in
SKILL.mdusenpx -y mcporterto download and execute code from the NPM registry at runtime. Executing unpinned external packages via npx is a security risk as it allows for the execution of arbitrary code if the package is compromised. - [CREDENTIALS_UNSAFE]: The documentation in
references/exa-tools.mdexplicitly recommends passing theexaApiKeyas a query parameter in the URL (e.g.,?exaApiKey=YOUR_EXA_API_KEY). Sensitive credentials in URLs are often exposed in web server logs, proxy logs, and browser history. - [COMMAND_EXECUTION]: The skill provides examples of command-line execution using
npxand shell variables to interact with the Exa API. If user-controlled input is incorporated into these commands without strict sanitization, it could lead to command injection. - [EXTERNAL_DOWNLOADS]: The skill makes network requests to
https://mcp.exa.ai/mcpto retrieve tool configurations and search results. While Exa is a known service, the skill depends on the security of this external infrastructure. - [PROMPT_INJECTION]: The skill ingests untrusted data from the web via search tools, creating a surface for indirect prompt injection.
- Ingestion points: Search results and code snippets retrieved via
web_search_exaandget_code_context_exaenter the agent context (File:SKILL.md). - Boundary markers: No specific delimiters or instructions to ignore instructions within the retrieved content are present in the parameter templates.
- Capability inventory: The skill has the capability to execute shell commands via
npxand perform further network operations. - Sanitization: There is no evidence of sanitization or filtering of the content returned from the external search API before processing.
Audit Metadata