newsapi
Pass
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install the
@membranehq/clipackage via npm. This is the official command-line interface for the author's platform and is required for the skill's functionality. - [COMMAND_EXECUTION]: The skill relies on executing various
membraneCLI commands to manage authentication (membrane login), create connections (membrane connect), and run news-related actions (membrane action run). These commands are standard for the tool's intended use. - [CREDENTIALS_SAFE]: A positive security finding: the skill explicitly instructs the agent never to ask the user for API keys, instead delegating secret management to the Membrane platform. This reduces the risk of credential exposure in logs or local configuration files.
- [PROMPT_INJECTION]: The skill processes news articles retrieved from an external API (NewsAPI). This presents a surface for indirect prompt injection where malicious instructions could be embedded in news content. However, this is an inherent risk of any news-aggregation tool, and the skill does not grant elevated privileges that would make this highly dangerous.
Audit Metadata