exa

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill performs "neural web searches" via Exa/Refly and explicitly extracts semantic search result content from the Refly workflow/toolcalls output (public web search results), meaning the agent ingests and reads arbitrary third‑party public web content that could contain untrusted/user‑generated instructions.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I found a high-entropy, literal token used as the --id argument in the example run command: "skpi-j39cg6h58kgt89qy41chi1ay". That value looks like an API/secret key (random-looking, not an obvious placeholder) and is directly present in the doc, so it meets the definition of a secret.

I did not flag other random-looking IDs (e.g., "c-eptydufr83h9gket8xdjbnan") because those appear to be workflow/resource identifiers rather than credentials that grant service access, and "we-xxx" is a placeholder. No PEM/private-key blocks or other obvious high-entropy secrets were found.