Opennews
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: opennews-2 Version: 0.1.0 The skill is designed to interact with the OpenNews 6551 API for crypto news. All `curl` commands in SKILL.md target the specified `ai.6551.io` endpoint, using the `$OPENNEWS_TOKEN` for authentication as intended. The use of `curl` and `jq` binaries is consistent with the skill's stated purpose of fetching and parsing API data. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts to subvert the agent's behavior beyond its described functionality.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search terms, filters, and authenticated API requests may be sent to the OpenNews/6551 service.
The skill documents shell-mediated HTTP calls to a disclosed external API. This is expected for the stated news-search purpose, but users should recognize that the agent may run curl commands that contact the 6551 service.
curl -s -X POST "https://ai.6551.io/open/news_search" ... -H "Authorization: Bearer $OPENNEWS_TOKEN"
Install only if you trust the 6551 API provider, and review commands before using the skill for sensitive searches.
Anyone or anything with access to OPENNEWS_TOKEN may be able to use the associated OpenNews/6551 API account or quota.
The skill requires an API credential for the integrated service. This is purpose-aligned, and the artifacts show the token being sent only as an Authorization header to the disclosed API base URL.
All endpoints require a Bearer token via `$OPENNEWS_TOKEN`.
Use a dedicated, revocable token with the minimum necessary scope, and do not paste the token into prompts or shared files.
The skill may require jq for some example commands, and the declared read capability is not clearly justified by the documented API-only use case.
package.json declares jq and a local read tool, while the registry/install information only requires curl and the documented workflow is API-focused. This is a minor dependency/capability mismatch users should be aware of.
"tools": ["exec", "read"],
"binaries": ["curl", "jq"]Clarify or remove the unused read capability and ensure jq is consistently declared or installed if jq-based workflows are intended.