Exa Web Search (Free)

The skill's stated purpose (web/code/company search via Exa MCP) matches the instructions which call a remote MCP service. However SKILL.md metadata declares a required binary 'mcporter' while the registry's top-level requirements list 'none' for required binaries — an inconsistency. Requesting mcporter is reasonable for this purpose, but the registry should declare it.

Runtime instructions tell the agent to run mcporter commands that configure and call a remote endpoint (https://mcp.exa.ai/mcp) and to enable optional tools (crawling, people search, deep researcher). Those commands will transmit user queries (and any data included in them) to an external service. The instructions do not limit or warn about sending sensitive data, nor do they require any local validation of results. Crawling and people-search features can retrieve or expose PII and arbitrary web content.

No install spec or code files are provided (instruction-only), so nothing is written to disk by the skill itself. Risk arises from reliance on an external binary (mcporter) and network calls to the MCP endpoint rather than from an installation step. The skill references GitHub/npm resources for Exa MCP which are plausible but unverified here.

The skill declares no required environment variables or credentials, which is consistent with 'No API key needed.' However, because queries are sent to a third party, this design means user prompts and any embedded secrets could be leaked to that external service. No provision is made to prevent accidental transmission of sensitive data.

always:false (normal). The skill can be invoked autonomously (platform default). Combined with the optional 'deep_researcher' and crawling/people-search tools, autonomous invocation increases the amount of data that could be sent externally if allowed — but autonomous invocation alone is not unusual.