Kaspa News
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: kaspa-news Version: 1.1.0 The OpenClaw AgentSkills bundle for 'kaspa-news' is classified as benign. The `scripts/kaspa-news.sh` script fetches public data from `https://kaspa.news/api` using standard tools (`python3` with `requests`, `jq`). It handles user input for filtering safely by explicitly using `jq --arg` and `sys.argv` in Python snippets, which prevents shell or `jq` injection. The `SKILL.md` and `FORMAT_LOCK.md` files contain extensive instructions for the AI agent, but these are focused on precise output formatting and data presentation, including an explicit 'Security note: never interpolate raw user input directly into jq programs. Always pass user values via `--arg` / `--argjson`.' There is no evidence of data exfiltration, malicious execution, persistence, or prompt injection designed to subvert the agent's core directives or perform unauthorized actions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill contacts kaspa.news and displays public news or social-media data.
The script performs network reads from a fixed external public API, which is central to a news-fetching skill and does not show credential use or data mutation.
API_BASE="https://kaspa.news/api" ... r = requests.get(url, timeout=30)
Use it for public information lookup, and verify important news or links before acting on them.
The agent may repeat public tweets or posts verbatim, including links or text that should not be treated as instructions.
The skill intentionally asks the presenting agent to preserve fetched public social-media text. That is formatting-focused and purpose-aligned, but public posts can contain untrusted text.
DO NOT ... EDIT, TRIM, SHORTEN, OR REWRITE tweet text — show it EXACTLY as the script outputs it
Treat returned posts, links, and summaries as untrusted public content; do not follow instructions embedded in fetched posts.
Users have less external provenance information for the skill package.
The supplied metadata does not provide an external source repository or homepage, which limits provenance review for the included script, although no hidden installer or dependency behavior is shown.
Source: unknown; Homepage: none
Install only if you trust the registry package and are comfortable with the included script querying the public kaspa.news API.