Neural web search, similar-page discovery, and URL content fetching via the Exa AI search engine. USE WHEN: user asks to search the web, find articles/repos/...
Security Analysis
high confidenceThe skill's code, instructions, and requested credential (EXA_API_KEY) are coherent with a native Exa AI web-search client; only minor documentation/installation path inconsistencies were found.
Name/description match the implementation: the Rust binary implements search, find_similar, and get_contents and talks to https://api.exa.ai. Requiring EXA_API_KEY and cargo/bash for a one-time build is proportionate.
Runtime instructions stick to the stated purpose (build/run the binary, read EXA_API_KEY from ~/.openclaw/workspace/.env, pass JSON via stdin). Minor issues: SKILL.md and README reference the install path ~/.openclaw/.../skills/exa-search/bin/exa-search while install.sh copies to ~/.openclaw/.../skills/exa-search-rust/bin/exa-search — this path/name mismatch may cause confusion or broken example commands but does not indicate malicious behavior.
Installer is a local install.sh that invokes `cargo build --release` on included Rust source and copies the resulting binary into the workspace. No external arbitrary downloads or URL-extraction steps; upstream crates will be fetched from crates.io via cargo (expected).
Only EXA_API_KEY is required/declared (primaryEnv). The SKILL.md helpers read the EXA_API_KEY line from ~/.openclaw/workspace/.env (they only grep for EXA_API_KEY=). The binary validates the key format and does not access other environment variables or sensitive system paths.
The skill is not always-enabled and can be invoked by the user. install.sh writes files under the user's ~/.openclaw/workspace/skills/ directory (its own skill dir) — standard behavior for a skill installation and not an elevation of privilege or modification of other skills' configs.
Guidance
This package appears to be what it claims: a native Exa AI search client that requires one API key. Before installing: 1) Inspect install.sh (it builds the included Rust source with cargo and copies the binary to your OpenClaw workspace). Note the example commands reference a directory named `exa-search` but install.sh uses `exa-search-rust` — confirm/install path and adjust commands. 2) Only provide EXA_API_KEY (store it in ~/.openclaw/workspace/.env as instructed). 3) Building uses cargo which will fetch crates from crates.io — if you have policies about third-party crates, audit Cargo.toml. 4) Confirm you trust the Exa API endpoint (api.exa.ai) and treat the API key as a secret: use least-privilege keys and monitor usage. If you want higher assurance, run the build in an isolated environment or review the compiled binary before installing.
Latest Release
v1.0.3
Fix: mkdir bin/ in install.sh; update install dir name to match ClawHub slug
Popular Skills
Published by @Prompt-Surfer on ClawHub
