NewsRiver Global Intelligence
Security checks across malware telemetry and agentic risk
Overview
This is a disclosed finance/DeFi API integration, but it gives an agent broad trading, wallet, payment, and messaging powers without clear spending or approval limits.
Treat this as a high-risk financial execution skill, not just a news tool. Before installing or invoking it, verify the provider, use a dedicated low-balance wallet, require explicit approval for every trade/bridge/yield action and every email/SMS, and avoid sharing confidential data unless you trust the provider's logging and privacy practices.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill with wallet or payment access could trigger irreversible or costly DeFi transactions.
These are live financial operations that can move funds or enter positions across many venues; the artifact does not define mandatory confirmation, spend caps, chain/token allowlists, or dry-run-only behavior.
Execute swaps, cross-chain transfers, yield entries, and multi-step bundles across 200+ DEXs and 180+ protocols.
Use only with explicit per-transaction approval, quote review, strict spend limits, and a dedicated low-balance wallet.
Connecting a funded wallet, payment header, or API account could give the agent/provider authority to spend funds or initiate wallet actions beyond what the user expected.
The skill contemplates autonomous payment authorization and agent-controlled wallet creation/signing, but does not specify permission scopes, revocation, maximum spend, or custody boundaries.
x402 Micropayments (Autonomous): USDC on Base. Include X-PAYMENT header. ... Wallet Creation: POST /api/privy/wallets/create-all
Verify the provider and only grant narrowly scoped access; avoid funded wallets unless limits, approvals, and revocation procedures are clear.
If enabled, an agent could send messages, scrape sites, or incur small charges through the provider API.
The paid email, SMS, and scraping proxy features are disclosed, but they can create costs or send outbound content and the artifact does not describe recipient, content, or approval constraints.
Execution Proxies - Send Email ($0.05): POST /api/v1/proxy/email; Send SMS ($0.25): POST /api/v1/proxy/sms; Web Scraper ($0.10): POST /api/v1/proxy/scrape
Require explicit user confirmation for recipients, message content, target URLs, and expected cost before using these proxy endpoints.
Sensitive trading questions, wallet/action details, or message contents may be processed and logged by the provider.
User queries and action details may be sent to external provider services and stored server-side; this is disclosed but retention, access controls, and data boundaries are not described.
AskRiver AI Chat (PREMIUM) Natural-language intelligence queries powered by Gemini. ... All actions logged to D1 database for auditability.
Avoid sending confidential data unless you have reviewed the provider's privacy, retention, and access-control policies.
Users must rely on the external service's behavior and security claims rather than locally reviewable code.
There is no local code to inspect and the publisher/source provenance is limited, so the scanner cannot verify the remote API implementation behind the high-impact financial features.
Source: unknown; No install spec — this is an instruction-only skill. No code files present.
Verify the publisher, service terms, audits, and domain ownership before granting API, wallet, or payment access.