Is web-search-exa safe?

https://clawhub.ai/theishangoswami/web-search-exa

82
SAFE

This is a lightweight, declarative skill that provides web search via Exa's MCP server. It contains no executable code, no install scripts, and exhibited clean behavior during clone monitoring. The primary risk is the implicit trust delegation to a third-party MCP endpoint (mcp.exa.ai) which could serve arbitrary tool definitions, and the potential for sensitive conversation context to leak through natural-language search queries sent to Exa's infrastructure.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (7)

MEDIUM External MCP server trust delegation -20

The skill instructs agents to connect to https://mcp.exa.ai/mcp as an MCP server. This delegates tool definition authority to a third-party endpoint. The MCP server can define arbitrary tools that the agent will then have access to, beyond what the SKILLS.md documents. This is not prompt injection per se, but creates an unauditable trust boundary.

LOW No API key authentication claim -5

The skill states 'No API key needed' for connecting to the MCP server. While this reduces setup friction, it means there is no authentication or rate-limiting boundary between the agent and the third-party service, and any agent can connect without user-specific credentials.

MEDIUM Implicit data sharing with third-party search service -20

All search queries are routed to Exa's infrastructure. Agent conversations often contain sensitive context, and the natural-language queries sent to web_search_exa may inadvertently include private information from the user's session. The skill documentation even encourages 'natural language' queries, which may carry more context than structured queries.

INFO No executable code in repository -5

The skill contains only metadata JSON files and a SKILLS.md markdown file. No executable code, install scripts, hooks, or symlinks are present. All functionality is delegated to the remote MCP endpoint.

INFO Clean clone with standard OS-level file access only -5

Filesystem monitoring shows only standard library loading (ld.so.cache), OS configuration reads (/etc/passwd, /etc/group, modprobe, udev rules), and SSL certificate directory access. No anomalous behavior.

LOW Supply-chain risk via MCP endpoint -25

The skill's entire functionality depends on a remote MCP server (mcp.exa.ai). If this endpoint is compromised or serves modified tool definitions, it could inject malicious capabilities into any agent using this skill. This is an inherent risk of MCP-based skills that delegate to external servers, not specific to this skill's design.

LOW Potential for context leakage in search queries -15

When used in multi-skill agent environments, the agent may compose search queries that incorporate information from other conversations or skills, effectively leaking cross-context data to Exa's search API.