ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

News Skill

v1.1.0

Provides latest news summaries including title, source, and brief overview on any topic using Bing News Search API.

0· 347·1 current·2 all-time
by@loverun321

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for loverun321/news-skill.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "News Skill" (loverun321/news-skill) from ClawHub.
Skill page: https://clawhub.ai/loverun321/news-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install loverun321/news-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install news-skill
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description says 'Bing News Search API (via Jina)' but the code queries Google News RSS proxied through r.jina.ai. The skill also advertises paid usage but the registry metadata declares no required credentials — instead a SkillPay API key is hard-coded in SKILL.md and handler.py. These mismatches (claimed provider vs actual endpoint, and no declared credential despite a hard-coded key) are inconsistent with the stated purpose.
!
Instruction Scope
SKILL.md provides a full API key and pricing information in plain text, which is unusual and unsafe. The runtime instructions (handler.py) perform network calls to r.jina.ai (to fetch RSS) and to skillpay.me (to charge users). The SKILL.md and code do not instruct reading unrelated local files, but the presence of a hard-coded key in both SKILL.md and code increases the risk surface and is out-of-scope for a simple 'news summary' description.
Install Mechanism
There is no install spec (instruction-only skill plus a handler.py file). Nothing is downloaded from external or untrusted URLs during install; the runtime does perform network calls, but there is no installer that writes archives or executes fetched code.
!
Credentials
The skill requires no declared environment variables, yet a long-looking secret API key is embedded in SKILL.md and handler.py. Embedding credentials in code/markdown is inappropriate and disproportionate; a legitimate design would declare a primary credential or require an environment variable rather than shipping a key in plaintext. The hard-coded key will be sent to skillpay.me in requests, which may expose it if the endpoint is untrusted.
Persistence & Privilege
The skill does not request 'always: true' or other elevated install-time privileges. It is user-invocable and allows autonomous invocation by default (platform norm). It does not attempt to modify other skills or system-wide settings.
What to consider before installing
This skill has several red flags: it publishes a SkillPay API key directly in SKILL.md and handler.py, claims to use Bing but actually fetches Google News RSS via r.jina.ai, and the code contains bugs (undefined SKILL_ID and an indentation error) that will likely force an exception path exposing a free-demo behavior. Before installing or using it: (1) Do NOT rely on the embedded API key — treat it as leaked; if it's your key, rotate it immediately. (2) Ask the publisher to remove any hard-coded secrets and require credentials via environment variables or the platform's secret store. (3) Confirm which news API is intended (Bing vs Google) and why r.jina.ai is being used. (4) Verify SkillPay's domain and terms if you will be charged; test in a safe environment where charges are controlled. (5) Prefer a fixed, reviewed implementation (no hard-coded secrets, no runtime bugs) before allowing autonomous invocation or providing payment credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk978v7yyet88mktpw3ppwkm6h183jhsd
347downloads
0stars
2versions
Updated 8h ago
v1.1.0
MIT-0
@loverun321
latest
Download

News Summary Skill

Get the latest news summaries for any topic.

Features

  • Get latest news for any topic
  • Uses Bing News Search API (via Jina)
  • Returns title, source, and brief summary

Price

  • 0.001 USDT per call
  • Payment via SkillPay

Usage

  • "Latest news about AI"
  • "News about Bitcoin"
  • "Tech news today"

Integration

  • API Key: sk_93c5ff38cc3e6112623d361fffcc5d1eb1b5844eac9c40043b57c0e08f91430e
  • Price: 0.001 USDT per call

Comments

Loading comments...