exa-search
Warn
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill defines a workflow where the agent runs local scripts (exa_search.py and research_wiki.py) via the shell, passing arguments derived from external search results.
- [REMOTE_CODE_EXECUTION]: Step 6 of the workflow involves building a shell command using metadata (title, authors, venue) retrieved from web search results. This pattern is susceptible to command injection, as untrusted data from the internet is interpolated directly into a bash command line.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by ingesting untrusted web content and metadata that is subsequently used to influence automated workflows.
- Ingestion points: Web results and content extraction from Exa (SKILL.md Step 4 and 6).
- Boundary markers: None. The skill does not provide instructions for the agent to use delimiters or boundary markers when handling the fetched content.
- Capability inventory: The skill has access to Bash, Read, and Write tools, which increases the impact of any successful injection.
- Sanitization: None. The workflow lacks guidance on sanitizing or validating search metadata before it is passed to shell commands.
- [EXTERNAL_DOWNLOADS]: The skill references the exa-py package, which is the official SDK for the Exa search service.
Audit Metadata