Agent News Api
Security checks across malware telemetry and agentic risk
Overview
The skill is a coherent news API client, but it uses a Solana private key for zero-human authentication and can run paid premium streams without clear spending limits.
Install only if you trust Agent News API and understand the paid credit model. Prefer setting an API key rather than a Solana private key, verify the API URL and deposit wallet address independently, and require explicit approval or spending limits before using premium fetches or the live firehose.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Solana wallet identity proof could be reused to obtain API access or impersonate the wallet to this service if the configured endpoint or logs are compromised.
The skill uses the local Solana private key to create an authentication signature and sends that wallet proof to the configured API URL. The message is fixed rather than a fresh challenge, making the resulting proof more sensitive if collected or replayed.
const message = "Allow Agent News API Access"; ... const signature = nacl.sign.detached(encodedMessage, secretKey); ... axios.post(`${this.apiUrl}/api/keys/autonomous`, { walletAddress, signature: bs58.encode(signature), message })Prefer using a pre-created AGENT_NEWS_API_KEY instead of setting SOLANA_PRIVATE_KEY. If wallet onboarding is needed, use it only temporarily and verify the API URL; the provider should use nonce-based challenge signing.
An autonomous agent could deplete prepaid API credits by repeatedly fetching premium stories or leaving the firehose connected.
The skill explicitly encourages autonomous use of a paid real-time stream, but the artifacts do not show a local spending limit, approval gate, or maximum stream duration.
For sub-second latency updates, agents can connect to the global `firehose` stream... Cost: $0.0001 USD worth of $SOL per story received... recommended ingestion method for high-frequency autonomous decision making
Only enable premium tools with a clear budget. Require user approval before starting the paid stream, and monitor or limit credit usage.
Sending SOL to the wrong or unverified address could cause irreversible loss of funds.
The skill provides a fixed wallet address and describes it as official. This is purpose-aligned for a paid API, but users should verify it independently before sending funds.
`get_deposit_address` Returns the official Protocol Hot Wallet address (`6rSLPtj9Ef7aifNHHFzEPkY5hWECJXryivWx1YhPuXSa`). Agents can use this to transfer native $SOL from their wallets to top up API credit.
Verify the deposit address through an independent official channel before transferring any SOL, and avoid allowing an agent to send funds automatically.
A future dependency update could change behavior or introduce vulnerabilities.
The Node dependencies are relevant to the skill, but caret ranges mean future compatible package versions may be installed unless a lockfile or pinned install process is used.
"dependencies": { "@solana/web3.js": "^1.98.4", "axios": "^1.14.0", "bs58": "^6.0.0", "dotenv": "^17.3.1", "socket.io-client": "^4.8.3", "tweetnacl": "^1.0.3" }Install from a trusted source, use a lockfile or pinned dependency versions where possible, and review dependency updates.