Back to skill

Security audit

Agent News Api

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed news API client, but it asks agents to use a raw Solana private key and can create or reuse paid API access without strong point-of-use controls.

Install only if you intentionally want a Web3-linked, paid Agent News API integration. Prefer a pre-created AGENT_NEWS_API_KEY over exposing SOLANA_PRIVATE_KEY, verify the API URL and deposit address independently, and set external budget or approval controls before allowing premium fetches or long-running streams.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The skill is presented primarily as a news ingestion API, but it also introduces wallet-linked authentication, credit management, deposit address retrieval, and autonomous funding behavior. That mismatch increases the risk that an operator or downstream agent enables blockchain-sensitive capabilities without understanding that private-key-backed actions and spending-related workflows are part of the skill.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The document claims the Solana private key is used strictly for local signing and never transmitted, but elsewhere advertises autonomous funding and wallet-driven credit top-ups. Even if the key is not exfiltrated, this framing can mislead users about the real wallet impact, causing them to authorize a skill that can initiate financially meaningful blockchain actions.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The CLI exposes wallet-related onboarding and funding operations that materially exceed the advertised scope of a news-stream skill. This scope mismatch is dangerous because users or agent frameworks may grant trust, installation approval, or secrets based on the narrow 'news API' description while the tool can also trigger credential issuance and guide fund transfers.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill reads a Solana private key from environment variables and uses it for autonomous onboarding, which is highly sensitive functionality unrelated to basic news retrieval. In an agent context, this broadens the blast radius from passive data access to signing-capable wallet operations, increasing the risk of secret exposure, misuse, or unexpected financial actions if the skill or its dependencies are compromised.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The package presents itself as a news-stream skill, but its dependency set includes Solana wallet/signing primitives (`@solana/web3.js`, `bs58`, `tweetnacl`) that materially exceed what is needed for a basic news client. In an agent-skill context, this capability mismatch increases the risk that the skill can access keys, sign blockchain transactions, or perform wallet-related actions under the guise of fetching news, which is especially concerning because autonomous agents may execute such skills with limited oversight.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Zero-HITL onboarding and autonomous funding imply wallet-affecting behavior, but the documentation does not provide a clear, upfront warning that on-chain spending or balance changes may occur. In an agent setting, insufficient disclosure is dangerous because autonomous systems may invoke these features without a human realizing financial operations are in scope.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The onboarding flow uses a local private key to create and persist an API credential, but the documentation does not clearly warn users that a long-lived credential will be generated and stored. Persistent credential creation expands the blast radius of compromise, especially if agents store the key insecurely or operators do not realize a reusable API secret now exists on disk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The client automatically re-authenticates on any 401 response by reusing the configured Solana private key to generate a fresh signed authentication request, without requiring explicit user approval at the point of use. This creates a sensitive-key-use-on-network-path behavior that can surprise integrators, especially because a caller may trigger REST requests or websocket setup indirectly and cause signing against a user-supplied apiUrl or compromised backend.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
agent-news-cli.js:14