Back to skill

Security audit

NewsAPI Search

Security checks across malware telemetry and agentic risk

Overview

This NewsAPI skill appears to do what it says, with a caveat that it loads all variables from your OpenClaw .env file even though it only needs a NewsAPI key.

Install this if you intend to use NewsAPI and are comfortable sending search terms and filters to newsapi.org. Use a dedicated NewsAPI key, avoid storing unrelated secrets in ~/.openclaw/.env, and avoid submitting confidential queries or personal data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script reads and imports every key from ~/.openclaw/.env into process.env, even though it only needs NEWSAPI_KEY. Broadly loading local secrets is unnecessary for the stated functionality and expands the skill's access to unrelated credentials. In an agent/skill context, this is more dangerous because the runtime may expose process.env to other code paths, logs, subprocesses, or future modifications.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.