Security Audit
Jamkris/everything-gemini-code:skills/exa-search
github.com/Jamkris/everything-gemini-codeTrust Assessment
Jamkris/everything-gemini-code:skills/exa-search received a trust score of 56/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned External Dependency in Setup Instructions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on March 30, 2026 (commit 6c6f43aa). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned External Dependency in Setup Instructions The skill's setup instructions recommend installing and running an external Node.js package (`exa-mcp-server`) using `npx` without specifying a version. This means `npx` will always fetch the latest version of the package. If a malicious update is pushed to the `exa-mcp-server` package, or if the package maintainer's account is compromised, it could lead to arbitrary code execution on the host system when the user configures the skill. Best practice is to pin dependencies to a specific version. Pin the `exa-mcp-server` dependency to a specific, known-good version in the `args` array. For example, `"args": ["-y", "exa-mcp-server@1.2.3"]` (replace `1.2.3` with the desired version). Regularly review and update the pinned version to incorporate security fixes. | LLM | SKILL.md:19 |
Scan History
Embed Code
[](https://skillshield.io/report/72c6cafcbf068a4d)
Powered by SkillShield