ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sonarbay News

v1.0.0

Search and analyze global news using SonarBay News Intelligence. Provides real-time access to 7 days of worldwide news coverage via CLI or REST API. Use when...

0· 40·0 current·0 all-time
by@pavanxs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (news search, trending, counts) align with the documented CLI commands and REST endpoints. No unrelated credentials, binaries, or config paths are requested — the declared purpose matches what the instructions show.
Instruction Scope
SKILL.md stays within the news-search domain (CLI usage, REST endpoints, examples). It does not instruct reading local files or unrelated environment variables. However, the Install section explicitly tells users to pipe remote shell/PowerShell scripts into a shell (curl https://sonarbay.com/install.sh | sh and irm https://sonarbay.com/install.ps1 | iex), which expands scope to executing arbitrary remote code on the host.
!
Install Mechanism
There is no formal install spec in the registry, but the documentation instructs running remote install scripts directly from sonarbay.com via pipe-to-shell and PowerShell 'iex'. This pattern downloads and executes remote code without checksums or release verification and is high-risk. Although the domain is the service domain (sonarbay.com), it is not a vetted release host like a known package registry; the script contents are not included for review.
Credentials
The skill declares no required environment variables or credentials and the REST endpoints state 'No authentication required'. That is proportionate for a public read-only news API. There is no request for unrelated secrets or system credentials in the SKILL.md.
Persistence & Privilege
Skill metadata does not request always-on inclusion or special privileges. The CLI's install and 'sonarbay update' command imply the installed tool will persist on the system if installed by the user; this is expected but should be treated as installing third-party software (inspect installer first).
Scan Findings in Context
[no-regex-findings] expected: The static regex scanner found no code files to analyze (instruction-only skill). The SKILL.md itself contains remote-install commands (curl | sh, iex) which the scanner did not flag because it only scanned code files; those installer URLs should be manually reviewed.
What to consider before installing
This skill looks like a legitimate news CLI/REST integration, but exercise caution before running the installer commands it documents. Never pipe remote scripts directly into a shell without reviewing them: fetch the installer (curl https://sonarbay.com/install.sh -o install.sh) and inspect its contents and checksums first. Prefer using documented package managers or official release pages when available. If you must install, do so in an isolated environment (container or VM), verify HTTPS and the domain, look for published checksums or signed releases, and consider using the REST endpoints directly (curl against https://sonarbay.com/v1/...) to avoid executing third-party install scripts. Because the registry entry has no homepage and the source is 'unknown', verify the vendor and review the installer before trusting it with your system.

Like a lobster shell, security has layers — review code before you run it.

latestvk970d79pwk8hadwtsh1k21f2ax83yta0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments