ClawHub

NewsAPI Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward NewsAPI search skill with some credential-handling and privacy caveats, but no evidence of hidden, destructive, or unrelated behavior.

Install this if you intend to use NewsAPI and are comfortable sending your search terms and filters to newsapi.org. Use a dedicated NewsAPI key with limited quota, avoid putting unrelated secrets in ~/.openclaw/.env, and avoid searching for highly sensitive internal names, personal data, or confidential topics.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Low
Confidence
85% confidence
Finding
The script reads an entire local ~/.openclaw/.env file and injects all parsed entries into process.env, even though the skill only needs a single API key. Broadly loading local secrets expands the script's access to unrelated credentials and creates unnecessary secret exposure within the process. In this file the values are not exfiltrated, so the issue is overbroad secret access rather than clear credential theft.

Missing User Warnings

Low
Confidence
94% confidence
Finding
User search terms are sent to a third-party service, but the documentation does not clearly warn about that data flow or advise against entering sensitive information. This can lead users to disclose confidential queries, internal project names, PII, or investigative topics to NewsAPI without informed consent, which is a real privacy and operational security risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code places both the user's search query and the NewsAPI credential into the request URL query string. Query strings are commonly exposed in logs, monitoring systems, browser/history-like tooling, proxies, and error traces, so this can leak sensitive API credentials and user search terms beyond the intended recipient.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal