opennews

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward helper for querying a disclosed crypto-news API, with expected third-party data sharing but no hidden execution or persistence.

Install only if you trust the OpenNews/6551 service. Treat OPENNEWS_TOKEN like an API key, avoid putting secrets or sensitive personal data in search terms, and treat AI ratings or trading signals as informational rather than financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The skill instructs users to send authenticated requests and likely user-supplied queries to a third-party service, but it does not clearly warn that prompts, search terms, request metadata, and the bearer token are transmitted off-platform. This is a real transparency/privacy issue because users may assume the skill operates locally or may not realize their inputs are disclosed to an external provider.

External Transmission

Medium

Category: Data Exfiltration
Content: env: - OPENNEWS_TOKEN bins: - curl primaryEnv: OPENNEWS_TOKEN emoji: "\U0001F4F0" install:
Confidence: 92% confidence
Finding: curl primaryEnv: OPENNEWS_TOKEN emoji: "\U0001F4F0" install: - id: curl kind: brew formula: curl label: curl (HTTP client) os: - darwin - linu

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal