Is exa safe?

https://clawhub.ai/fardeenxyz/exa

82
SAFE

The exa skill is a clean, minimal wrapper around Exa AI's neural search API consisting of three straightforward bash scripts and a documentation-only SKILL.md. No prompt injection, malicious code, install hooks, or exfiltration mechanisms were found. The primary risk is that content.sh accepts arbitrary URLs without validation, which could be exploited via prompt injection to extract content from sensitive URLs through Exa's API. The API key transmission to Exa is by design and expected.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (8)

LOW API key transmitted to external service -10

EXA_API_KEY is sent to api.exa.ai in every request via the x-api-key header. This is expected for an API wrapper but means the key leaves the local environment.

MEDIUM Unvalidated URL input in content.sh -25

content.sh accepts arbitrary URLs and forwards them to Exa's /contents endpoint for text extraction. No validation restricts which URLs can be submitted. An agent under prompt injection could be directed to pass internal or sensitive URLs to Exa for content extraction.

LOW Executable bash scripts included -5

Three bash scripts (search.sh, code.sh, content.sh) are included and designed to be executed by the agent. They use standard tools (curl, jq) with proper input handling via jq --arg, which prevents shell injection.

INFO No input length limits on search queries -5

None of the scripts enforce length limits on query inputs. Extremely long queries would be sent to the Exa API, which may have its own limits but could cause unexpected behavior.

LOW curl output not validated -20

Raw JSON responses from Exa's API are returned directly to the agent without any sanitization. If Exa's API were compromised, malicious content in the response could influence agent behavior.

INFO SKILL.md is clean and minimal -5

The SKILL.md contains only usage documentation with no hidden instructions, override directives, or manipulation attempts.

INFO Filesystem events are from audit harness, not skill -15

All filesystem events (reading .env, .aws/credentials, .profile, etc.) originate from the openclaw runtime environment initialization, not from the skill code itself. The skill has no install hooks.

INFO Search results could enable further attacks -30

As a general-purpose search tool, results returned by Exa could contain prompt injection payloads if an attacker controls indexed content. This is inherent to any web search skill, not specific to this implementation.