Skills
skills/wanshuiyin/auto-claude-code-research-in-sleep/exa-search/Gen Agent Trust Hub

exa-search

Warn

Audited by Gen Agent Trust Hub on May 5, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to construct shell commands using strings parsed from user input and web-retrieved metadata. Specifically, Step 6 involves interpolating page titles and author names directly into a python3 execution. If an attacker controls the metadata of a searched website, they could inject shell metacharacters to execute arbitrary commands on the host system.
  • [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection. It ingests untrusted data (highlights, summaries, and full text) from the open web (Step 4) and provides it to the agent.
  • Ingestion points: SKILL.md Step 4 and Step 6 (metadata extraction).
  • Boundary markers: Absent. The skill does not instruct the agent to use delimiters or ignore instructions embedded in the search results.
  • Capability inventory: The skill has access to Bash(*), Read, and Write tools (SKILL.md frontmatter).
  • Sanitization: Absent. Web-retrieved content is used verbatim.
  • [EXTERNAL_DOWNLOADS]: The skill downloads the exa-py package from the standard Python registry. This is the official SDK for Exa AI, a well-known service.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 5, 2026, 06:32 PM