AgentReadyHomeAgent Listing

← Exa

Exa — agentic threat model

7.1AIVSS 7.1 · High

Exa acts as a high-fidelity knowledge retrieval tool for AI applications, presenting low direct autonomy but high indirect risk; compromised or poisoned search results can act as an attack vector (e.g., indirect prompt injection) for downstream agentic systems.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.5AARS uplift 0.59Factor sum 1.7/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.10
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.10
Persistent Memory
0.10
Contextual Awareness
0.40
Dynamic Identity
0.00
Multi-Agent Interactions
0.20
Non-Determinism
0.30
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Exa relies on embedding models and LLM technology to convert web pages into vector representations. Vulnerabilities include adversarial inputs designed to distort embedding spaces or model-stealing attacks targeting their proprietary search/embedding models.

L2 · Data Operations✓ mapped

As a search engine and dataset provider, Exa is highly exposed to data operations risks. Adversaries can perform search index poisoning (SEO manipulation optimized for LLM embeddings) to force Exa to return malicious or biased content to downstream AI applications.

L3 · Agent Frameworks⚠ not certain from listing

Not certain from the listing — Exa functions primarily as a search API rather than an agent framework, meaning orchestration, planning, and internal tool-calling vulnerabilities are minimal within Exa itself, though it acts as a tool for other frameworks.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — Details regarding the sandboxing of Exa's web crawlers, secure hosting, and API credential management are not provided, though robust crawler isolation is necessary to prevent SSRF and infrastructure compromise.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — The directory listing does not specify what observability, drift detection, or content filtering guardrails are in place to monitor search query anomalies or detect poisoned index entries.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — Compliance certifications (such as SOC2 or ISO 27001) and specific data privacy policies regarding user queries are not detailed in the public description.

L7 · Agent Ecosystem✓ mapped

Exa is explicitly designed for integration with AI applications and ecosystems. A compromise or manipulation of Exa's search outputs can lead to cascading failures across the ecosystem, where downstream agents ingest poisoned search results, leading to indirect prompt injection.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).