Trust Assessment
newsapi-search received a trust score of 87/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 2 medium, and 0 low severity. Key findings include Broad Environment Variable Loading.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Broad Environment Variable Loading The `loadEnv` function reads the entire `~/.openclaw/.env` file and loads all key-value pairs into `process.env`. While the script only explicitly uses `NEWSAPI_KEY`, loading all environment variables from a potentially shared `.env` file can expose other sensitive credentials or configuration if they are present in the file. This creates a risk of data exfiltration if a subsequent vulnerability were to allow access to the process's environment variables. Modify the `loadEnv` function to only load specific, known environment variables (e.g., `NEWSAPI_KEY`) or use a more secure method for managing environment variables that restricts access to only what is needed. For example, explicitly setting `process.env.NEWSAPI_KEY = value` after parsing, rather than iterating and setting all. Or, if using a library, configure it to only load specific variables. | LLM | scripts/search.js:7 | |
| MEDIUM | Broad Environment Variable Loading The `loadEnv` function reads the entire `~/.openclaw/.env` file and loads all key-value pairs into `process.env`. While the script only explicitly uses `NEWSAPI_KEY`, loading all environment variables from a potentially shared `.env` file can expose other sensitive credentials or configuration if they are present in the file. This creates a risk of data exfiltration if a subsequent vulnerability were to allow access to the process's environment variables. Modify the `loadEnv` function to only load specific, known environment variables (e.g., `NEWSAPI_KEY`) or use a more secure method for managing environment variables that restricts access to only what is needed. For example, explicitly setting `process.env.NEWSAPI_KEY = value` after parsing, rather than iterating and setting all. Or, if using a library, configure it to only load specific variables. | LLM | scripts/sources.js:7 |
Scan History
Embed Code
[](https://skillshield.io/report/f5356e08b613b5b1)
Powered by SkillShield