exa-search

SUSPICIOUS: the stated purpose is plausible, but the main risk is transitive installation of a third-party personal GitHub skill via the official skills CLI. No clear malicious data exfiltration is shown in the provided text, yet the trust chain, API-key exposure to unreviewed skill code, and external-content handling make this medium risk.