BlockBeats API skill for querying crypto news, newsflashes, and articles. Requires a valid api-key token to access the BlockBeats Pro API.
Security Analysis
medium confidenceThe skill mostly matches its stated purpose (querying BlockBeats), but there are inconsistencies in the documented vs actual config paths and the code sends your API token over plain HTTP — these issues merit caution before installing.
Name/description (BlockBeats news API) align with the included Node scripts which call a BlockBeats-like HTTP API. Required binary 'node' is appropriate. However, the SKILL.md and scripts use different skill directory names (SKILL.md references ~/.openclaw/skills/blockbeats-api while the script writes to ~/.openclaw/skills/blockbeats-openclaw-skill), which is an incoherence in packaging/paths.
SKILL.md instructs the agent/user to set and expect the token in ~/.openclaw/skills/blockbeats-api/config.json and to run node ~/.openclaw/skills/blockbeats-api/scripts/api.js, but the script's CONFIG_DIR uses ~/.openclaw/skills/blockbeats-openclaw-skill/config.json. That mismatch means tokens may be saved/loaded from an unexpected location. Aside from that, runtime instructions only read/write a local config file and call the remote API; they do not attempt to read other system files or environment variables.
This is instruction-only with included Node scripts and no install spec — nothing is downloaded or installed automatically. That's low-risk from an install-mechanism perspective.
No environment variables or external credentials are requested; the API token is stored locally in the user's home directory. That is proportionate. However, the code transmits the token in an HTTP request (BASE_URL uses http://), which exposes the token in transit and is a security concern.
The skill does write a config file under the user's home (~/.openclaw/skills/...), which is normal for a user-level skill. It does not request global privileges or set always: true. No modification of other skills or system-wide settings is present.
Guidance
Things to consider before installing: - Path mismatch: The SKILL.md says the token and scripts live under ~/.openclaw/skills/blockbeats-api, but the script actually saves the token under ~/.openclaw/skills/blockbeats-openclaw-skill/config.json. Confirm where the script will be installed and where tokens will be read/written so you don't lose your token or leave it in an unexpected location. - Insecure transport: The code sends your API key to http://api-pro.theblockbeats.info (HTTP, not HTTPS). That means your token would be transmitted in plaintext and could be intercepted. Ask the author to use HTTPS (https://...) or verify the server and tunnel before using a real API key. - Inspect and/test locally: Because the package contains runnable JS, run the script yourself in a controlled environment (or inspect/modify CONFIG_DIR/BASE_URL) before saving any real credentials. You can run set-token with a throwaway key to confirm where it writes the file. - Confirm trust in the remote host: The domain is not documented in SKILL.md beyond the code. Only proceed if you trust the BlockBeats Pro endpoint and the skill's origin. If you are uncomfortable with the HTTP transport or the path inconsistencies, do not install or provide your real API token until those are resolved. If you need to proceed but want more safety, modify the script to use HTTPS and to write to an explicit, expected path before using it.
Latest Release
v1.0.0
Initial release: newsflash and article API support
Popular Skills
Published by @f-s-c-1 on ClawHub
