exa-company-research

Pass

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: SAFE
Full Analysis
  • [DATA_EXPOSURE]: The skill utilizes an EXA_API_KEY for authentication with the Exa API. It correctly instructs the user to manage this secret via environment variables or a .env file at the repository root, which is a standard and secure practice for secret management.
  • [EXTERNAL_DOWNLOADS]: The skill performs network operations by calling the Exa REST API (exa.ai). Exa is a well-known semantic search service, and these external calls are essential for the skill's intended functionality of fetching company data and news.
  • [INDIRECT_PROMPT_INJECTION]: Because the skill processes search results (titles, snippets, and page text) from the web, there is a theoretical risk of indirect prompt injection if the ingested content contains instructions meant to influence the AI's behavior. However, this risk is inherent to any search-based skill and is mitigated by the instructions for the agent to review and filter the results manually.
  • [COMMAND_EXECUTION]: The skill operates by running a local Python script (scripts/company_research.py). This script imports a shared client (exa_client.py) from a local directory. All executed code is part of the skill's own package, and no arbitrary or untrusted commands are executed.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 23, 2026, 01:13 PM
Security Audit — agent-trust-hub — exa-company-research