exa-plus
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (LOW): The skill utilizes shell scripts (
scripts/search.sh,scripts/content.sh,scripts/code.sh) and requires the installation ofcurlandjq. While inputs are passed throughjqto prevent shell injection, the execution of shell scripts increases the overall attack surface. - DATA_EXFILTRATION (MEDIUM): The scripts
search.shandcontent.shaccess the local file system at~/.clawdbot/credentials/exa/config.jsonto retrieve an API key. This constitutes access to sensitive credential data, which is subsequently transmitted to the external domainapi.exa.aifor authentication. - PROMPT_INJECTION (MEDIUM): The skill is susceptible to Indirect Prompt Injection (Category 8) because it fetches and processes untrusted data from the internet.
- Ingestion points: External search results and website text are retrieved via the Exa AI API and presented to the agent in
scripts/search.sh,scripts/content.sh, andscripts/code.sh. - Boundary markers: None; the scripts do not implement delimiters or instructions to prevent the agent from obeying commands embedded within the search results.
- Capability inventory: The skill possesses network communication capabilities via
curlto reachapi.exa.ai. - Sanitization: While the scripts use
jqto ensure valid JSON payloads are sent to the API, there is no evidence of sanitization or filtering of the content returned from the external API before it is processed by the agent.
Audit Metadata