web-search-exa

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly shows embedding the API key as a URL query parameter (e.g., ?exaApiKey=YOUR_EXA_KEY) and examples that append a key to MCP URLs, which instructs the agent to handle and potentially emit secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs the agent to search and fetch public web content (e.g., web_search_advanced_exa, crawling_exa, deep_search_exa and people_search_exa sections) — including blogs, tweets, LinkedIn, arXiv and arbitrary URLs — and to read and synthesize that untrusted, user-generated third‑party content as part of its workflows, so external page content could indirectly inject instructions that influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill uses the Exa MCP runtime endpoint (https://mcp.exa.ai/mcp) to fetch web pages and extracted content at runtime—which the agent injects into its model context to form responses—so this external URL directly controls prompt input and is a required runtime dependency.