Is exa-web-search-free safe?

https://clawhub.ai/Whiteknight07/exa-web-search-free

72
CAUTION

exa-web-search-free is a lightweight MCP skill wrapping Exa's neural search API. It contains no executable code, no prompt injection, and no git hooks. However, filesystem monitoring flagged reads of .env and .aws/credentials during installation (likely openclaw runtime behavior), and at runtime all user queries are sent to Exa's third-party servers. The optional crawling and people-search tools expand the attack surface for reconnaissance use cases.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 50/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (8)

MEDIUM Sensitive file access during installation -30

Filesystem monitoring detected reads of /home/oc-exec/.env, /home/oc-exec/.aws/credentials, and auth-profiles.json during the skill installation process. While these appear to be openclaw runtime behavior rather than skill-initiated reads, the .aws/credentials access during a skill install is a concerning pattern.

MEDIUM Runtime data sent to third-party API -20

All search queries, code context requests, and company research queries are routed through mcp.exa.ai. Users should be aware that their search content is processed by Exa's servers. No local processing or privacy controls are offered.

LOW Shell command execution via mcporter -10

The skill instructs the agent to execute mcporter CLI commands which invoke shell processes. While this is the declared MCP tool pattern, it means the skill effectively has shell execution capability through the mcporter intermediary.

LOW Expandable tool surface via URL parameter -10

The advanced tools section instructs users to reconfigure mcporter with a URL containing 9 tool names as query parameters. This expands the available tool surface significantly and the URL could be manipulated.

LOW URL crawling enables arbitrary content fetch -15

The crawling_exa tool can fetch and extract content from arbitrary URLs. In combination with other tools or skills, this could be used to probe internal services, access localhost endpoints, or extract content from URLs that embed sensitive data.

LOW People search enables surveillance capability -15

The people_search_exa tool allows looking up individuals by name, which could be used for surveillance or social engineering reconnaissance.

INFO JIT cache and runtime artifacts created in /tmp -5

The openclaw runtime created JIT-compiled module caches in /tmp/jiti/ and a gateway lock file in /tmp/openclaw-1000/ during installation. These are standard runtime artifacts, not skill-initiated behavior.

INFO External documentation links 0

The skill references external URLs for documentation (GitHub, npm, exa.ai docs) but does not instruct the agent to fetch or execute content from them.