Back to plugin
Pluginv0.1.0
ClawScan security
NewsIntel OpenClaw Bundle · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 25, 2026, 5:53 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The bundle's description matches what it does, but it relies on dynamically running an external npm package (via npx) and fails to declare the required API token/credential in the skill metadata — a modest but meaningful incoherence you should review before installing.
- Guidance
- This bundle wires your OpenClaw host to run the external npm package @stabem/newsintel-mcp via npx and expects a NewsIntel API token to operate. Before installing: 1) Confirm you trust the @stabem/newsintel-mcp npm package and its maintainer (review the package source on GitHub/npm and prefer pinned versions if possible). 2) Be aware npx will download and execute code at runtime — consider running it in a restricted/isolated environment. 3) The skill metadata does not declare the required API token; plan how you will provide the ni_live_... token securely (do not paste it into public logs). 4) If you need stronger assurance, ask the publisher to include the MCP package code or a version pin in the bundle or to declare the required env var/primary credential in the skill metadata so tools can surface the requirement clearly.
Review Dimensions
- Purpose & Capability
- noteName/description (NewsIntel MCP bundle) match the included .mcp.json which launches @stabem/newsintel-mcp via npx and points to https://newsintelapi.com. However, the skill metadata declares no primary credential or required env even though the SKILL.md says the MCP tools expect a NewsIntel API token per call.
- Instruction Scope
- okSKILL.md only instructs installing the bundle into OpenClaw and shows the .mcp.json that runs npx @stabem/newsintel-mcp with NEWSINTEL_API_BASE set. It does not ask the agent to read unrelated files, secrets, or external endpoints beyond the NewsIntel API and the npm registry.
- Install Mechanism
- noteThe bundle contains no install spec itself, but the configured MCP server uses `npx -y @stabem/newsintel-mcp` at runtime. That will fetch and execute code from the npm registry on demand — expected for this kind of plugin but a moderate risk because arbitrary code from npm will run in the host environment.
- Credentials
- concernThe SKILL.md explicitly requires a NewsIntel API token (ni_live_...), but the package metadata declares no required env or primary credential. The mismatch means the skill does not advertise or enforce the credential requirement in metadata, which could lead to unexpected prompts or misconfiguration and makes it harder to review what secrets the skill will use.
- Persistence & Privilege
- okNo elevated privileges are requested. always is false and the bundle does not modify other skills or system-wide settings. It will cause npx to run the MCP server when invoked, which is standard for an MCP integration.