ClawHub
Back to skill
v1.0.0

NewsAPI Search

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:23 AM.

Analysis

This skill appears to do what it says—query NewsAPI—but it uses a local NewsAPI key and sends searches to newsapi.org, while the registry metadata does not declare those requirements.

GuidanceThis looks like a normal NewsAPI search helper. Before installing, be aware that it expects Node and a NEWSAPI_KEY in ~/.openclaw/.env, and that your search queries plus the API key will be sent to newsapi.org.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none

The registry metadata does not declare the Node runtime or NEWSAPI_KEY credential, even though SKILL.md and the scripts require them.

User impactInstallation/setup expectations may be less clear from the registry listing alone.
RecommendationBefore installing, confirm you have Node available and that you intend to provide NEWSAPI_KEY in ~/.openclaw/.env.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/search.js
const envPath = path.join(process.env.HOME, '.openclaw', '.env'); ... const API_KEY = process.env.NEWSAPI_KEY; ... apiKey: API_KEY

The script reads a local OpenClaw env file and uses NEWSAPI_KEY as an API credential for NewsAPI requests.

User impactYour NewsAPI key is required and will be used to authenticate requests to NewsAPI.
RecommendationUse a dedicated NewsAPI key with the minimum privileges available, and avoid placing unrelated secrets in the same env file if you do not want this script to read them.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/search.js
const url = `https://newsapi.org/v2/everything?${params.toString()}`;

Search terms, filters, pagination values, and the API key are sent to the external NewsAPI provider as part of the intended API call.

User impactNewsAPI will receive the searches and filters you ask the agent to run.
RecommendationDo not use sensitive private queries unless you are comfortable sending them to NewsAPI.