Hi Exa team,
While testing MCP server security and quality checks, I noticed that the README includes a remote MCP example that places the API key in the URL query string:
https://mcp.exa.ai/mcp?exaApiKey=YOUR_KEY&tools=web_search_exa,web_search_advanced_exa,web_fetch_exa
Reference:
Why this matters
Query-string secrets are easy to leak through shell history, client logs, proxy logs, browser history, screenshots, and support bundles. For MCP configs, this can also be copied between tools and stored in plain config files.
Suggested change
If supported, the docs could prefer one of these patterns:
Authorization header;- MCP client secret/env field;
- local stdio config with
EXA_API_KEY;
- or a warning that query-string auth is convenient but less safe and should be avoided for shared or logged environments.
One additional schema-level lint finding: in the dynamic tool schema for web_fetch_exa, urls.items is currently a plain string. Since this tool fetches URLs, adding format: "uri" would make client-side validation clearer.
mcp-lint context
V0 of mcp-lint is ready at https://github.com/agentsnative/mcp-lint. It is a CI linter for MCP servers that checks installability, tool schemas, annotations, secret handling, and high-risk tool configuration. Secret-in-query-string examples and URL schema precision are exactly the kinds of docs/schema checks mcp-lint is designed to catch automatically.
Would you be interested in trying the V0 mcp-lint report for this repo? I would be happy to run it against the server and share the output in an issue or PR.
Hi Exa team,
While testing MCP server security and quality checks, I noticed that the README includes a remote MCP example that places the API key in the URL query string:
Reference:
Why this matters
Query-string secrets are easy to leak through shell history, client logs, proxy logs, browser history, screenshots, and support bundles. For MCP configs, this can also be copied between tools and stored in plain config files.
Suggested change
If supported, the docs could prefer one of these patterns:
Authorizationheader;EXA_API_KEY;One additional schema-level lint finding: in the dynamic tool schema for
web_fetch_exa,urls.itemsis currently a plain string. Since this tool fetches URLs, addingformat: "uri"would make client-side validation clearer.mcp-lint context
V0 of mcp-lint is ready at https://github.com/agentsnative/mcp-lint. It is a CI linter for MCP servers that checks installability, tool schemas, annotations, secret handling, and high-risk tool configuration. Secret-in-query-string examples and URL schema precision are exactly the kinds of docs/schema checks
mcp-lintis designed to catch automatically.Would you be interested in trying the V0
mcp-lintreport for this repo? I would be happy to run it against the server and share the output in an issue or PR.