← All tools

exa-mcp-server

MCP

A Model Context Protocol server with Exa for web search and web crawling. Provides real-time web searches with configurable tool selection, allowing users to enable or disable specific search capabilities. Supports customizable result counts, live crawling options, and returns content from the most relevant websites.

v3.1.7 Tested 7 Feb 2026
6.9

Dimension scores

Security 6.0
Reliability 7.0
Agent usability 7.0
Compatibility 8.0
Code health 7.0

Compatibility

Framework Status Notes
Claude Code
OpenAI Agents SDK ~ Deep research tools use polling pattern which may not translate well to OpenAI's synchronous function calling model, Some tools return very large JSON responses which could exceed OpenAI token limits
LangChain Tool responses return complex nested JSON that would need parsing for LangChain's structured output format, Deep research polling pattern may require custom wrapper logic

Security findings

MEDIUM

API key exposure in URL parameters

MEDIUM

Insufficient input validation on numeric parameters

MEDIUM

No sanitization of user-controlled search queries

MEDIUM

User agent and IP address logging without privacy controls

MEDIUM

Error messages may leak internal implementation details

Reliability

Success rate

82%

Calls made

100

Avg latency

3500ms

P95 latency

24500ms

Failure modes

  • Network timeout after 25s - no retry logic, immediate failure
  • Missing API key causes silent fallback to environment variable without validation
  • Empty/null responses from Exa API return success with generic message instead of error
  • Axios errors are caught but may return malformed JSON if error object is complex
  • Rate limiting on free tier returns JSON-RPC error but no graceful degradation
  • Unicode/special characters in queries not explicitly validated before API call
  • Deep research polling has hardcoded 5s delay - no exponential backoff for long-running tasks
  • Concurrent requests create new axios instances each time - potential memory leak under load
  • Tool registration failures are logged but don't prevent server startup
  • Type coercion (z.coerce.number) may silently convert invalid inputs like 'abc' to NaN

Code health

License

MIT

Has tests

No

Has CI

No

Dependencies

30

Well-structured TypeScript MCP server with strong type safety and comprehensive documentation. Code quality is good with organized tool architecture, error handling, and rate limiting. However, critical gaps exist: no tests, no CI/CD, and no visible git history for maintenance metrics. The codebase shows professional patterns (proper error handling, logging, type definitions) but lacks testing infrastructure. Dependencies appear managed (package-lock.json present) and the project is actively published (v3.1.7). The extensive documentation (README, deployment guides, skill docs) and MIT license are positives. Main concerns: untested code in production and inability to verify maintenance activity.

View source on GitHub →