Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
NewsRiver Global Intelligence
v1.0.13Professional Quantitative Intelligence & DeFi Execution for AI Agents. 10 years of news-price correlation, Enso DeFi super-aggregator (200+ DEXs, 15+ chains)...
⭐ 0· 439·3 current·3 all-time
byBidur P Shiwakoti@bidurs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a DeFi super-aggregator, cross-chain bridging, historical news/price correlation, proxies (email/SMS/scrape) and TEE-backed agent wallets — all coherent with the stated purpose. However, registry metadata lists no required environment variables while the SKILL.md documents an optional NEWSRIVER_API_KEY; this mismatch (registry says none, documentation lists one) is an inconsistency the maintainer should clarify.
Instruction Scope
Runtime instructions are instruction-only curl/API examples that tell an agent how to query analytics and how to execute swaps/bridges/yield/bundles, create wallets, and use paid proxies. The instructions do not tell the agent to read local files or unrelated env vars, but they do enable network calls that can initiate real financial transactions and send data via email/SMS/scrape proxies — so the agent will be able to transmit data externally and move funds if execution is allowed.
Install Mechanism
No install spec or code files are present (instruction-only). This is lower-risk from a disk/execution perspective because nothing is downloaded or written by the skill package itself.
Credentials
The registry lists no required environment variables, but SKILL.md documents an optional NEWSRIVER_API_KEY (used for premium/ subscription access). That alone is proportionate. However, the skill supports payments via an X-PAYMENT header (USDC on Base) and Privy-signed agent wallets — meaning monetary value can be moved through the API. The skill does not request private keys in the package, but it can cause charges and on-chain transfers; ensure any API key or payment mechanism you supply is scoped and reversible where possible.
Persistence & Privilege
always is false (good) and there is no install writing files, but the skill is allowed to be invoked autonomously (default). Because the skill exposes transaction/bridge/transfer endpoints and agent wallets, autonomous invocation could cause unintended asset movement or charges. Combine this with the metadata/instruction mismatches and you should tightly control or disable autonomous calls that perform financial operations.
What to consider before installing
This skill can perform real DeFi trades, cross-chain bridges, create agent wallets, and use paid proxies (email/SMS/scrape). Before installing: (1) Clarify the NEWSRIVER_API_KEY mismatch between the registry and SKILL.md. (2) Do not provide private keys; prefer limited, revocable API keys. (3) Test in dry_run/sandbox and with tiny amounts only. SKILL.md examples include a dry_run flag — use it. (4) Restrict or require explicit human approval for any autonomous execution that can move funds or incur payments (X-PAYMENT header / micropayments). (5) Verify the service provider (yieldcircle / agent.yieldcircle.app) and support contact; examine pricing and audit/logging policies. (6) If you are risk-averse, keep this skill disabled for autonomous invocation and only call it manually after reviewing requests the agent will make.Like a lobster shell, security has layers — review code before you run it.
latestvk977ryg53nnhpnezvax1rkyjbs82mrt2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.