MCPVet
← MCP directory
Clean
github · 64 files analyzed

exa-labs/exa-mcp-server

No risky behavior detected.

View source ↗
Outbound network 2
Environment variables (config / keys) 16

AI review

This is a legitimate MCP server for Exa's search API. It reads the EXA_API_KEY environment variable to authenticate with Exa's service, which is expected behavior. No hidden instructions, prompt injection, or data exfiltration mechanisms were found.

Model: deepseek-chat

Static findings

Environment variables (config / keys) · Reads environment variables (config / API keys)

low api/mcp.ts:1 process.env.AGNOST_LOG_LEVEL = 'error';
low api/well-known-oauth-protected-resource.ts:8 const OAUTH_ISSUER = process.env.OAUTH_ISSUER || 'https://auth.exa.ai';
low api/well-known-openai-apps-challenge.ts:22 const raw = process.env.OPENAI_APPS_CHALLENGE_TOKEN || '';
low src/stdio.ts:1 process.env.AGNOST_LOG_LEVEL = process.env.AGNOST_LOG_LEVEL ?? "error";
low src/tools/companyResearch.ts:35 const exa = new Exa(config?.exaApiKey || process.env.EXA_API_KEY || '');
low src/tools/deepResearchCheck.ts:43 const exa = new Exa(config?.exaApiKey || process.env.EXA_API_KEY || '');
low src/tools/deepResearchStart.ts:36 const exa = new Exa(config?.exaApiKey || process.env.EXA_API_KEY || '');
low src/tools/deepSearch.ts:42 const exa = new Exa(config?.exaApiKey || process.env.EXA_API_KEY || '');
low src/tools/exaCode.ts:38 const exa = new Exa(config?.exaApiKey || process.env.EXA_API_KEY || '');
low src/tools/linkedInSearch.ts:32 const exa = new Exa(config?.exaApiKey || process.env.EXA_API_KEY || '');
low src/tools/peopleSearch.ts:35 const exa = new Exa(config?.exaApiKey || process.env.EXA_API_KEY || '');
low src/tools/webFetch.ts:67 const exa = new Exa(config?.exaApiKey || process.env.EXA_API_KEY || '');

+ 4 more

Outbound network · Makes outbound network requests

info package-lock.json:13 "axios": "^1.13.6",
low package.json:53 "axios": "^1.13.6",

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.