exa

The SKILL.md fragment documents a legitimate-sounding connector to Exa's neural search API and requires an EXA_API_KEY. There are no direct signs of malicious code, obfuscation, or download-execute supply-chain patterns in the provided content. The primary risk is normal for any third-party API integration: sensitive data and credentials are sent to an external service (exa.ai). A residual supply-chain risk exists because the manifest references shell scripts whose contents are not provided; those scripts should be reviewed before execution to ensure they do not log credentials, forward them to other hosts, or execute untrusted code.