panews-creator Security Report — Low Risk | ClawSafe

5 /100

panews-creator

Create and manage articles on the PANews platform with authenticated creator workflows

This is a documentation-only skill package for PANews article management with no executable scripts present. All declared capabilities are legitimate content publishing workflows with appropriate security guards documented.

Skill Namepanews-creator

Duration33.0s

Enginepi

✓

Safe to install

This skill is safe to use as documented. However, the referenced CLI scripts (scripts/cli.mjs) are not included in the package, so the skill as delivered is incomplete and non-functional.

Findings 2 items

Severity	Finding	Location
Low	Missing CLI Implementation SKILL.md references scripts/cli.mjs with available commands (validate-session, list-articles, create-article, etc.) but no scripts directory or implementation files are included in the package. The skill is documentation-only and non-functional as delivered. `node {Skills Directory}/panews-creator/scripts/cli.mjs <command> [options]` → Include the actual CLI implementation if this skill is meant to be functional, or clarify that this is a documentation-only package.	`SKILL.md:49`
Low	Placeholder URL in Example A placeholder Twitter URL 'https://twitter.com/xxx' appears in workflow-apply-column.md example commands. `https://twitter.com/xxx` → This is a minor documentation placeholder, not a security concern.	`references/workflow-apply-column.md:30`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file operations in documentation
Network	`READ`	`READ`	✓ Aligned	API calls to PANews platform are declared and documented
Shell	`NONE`	`NONE`	—	CLI script referenced but not present
Environment	`READ`	`READ`	✓ Aligned	PA_USER_SESSION environment variable for authentication
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation detected
Clipboard	`NONE`	`NONE`	—	No clipboard access documented
Browser	`NONE`	`NONE`	—	No browser automation documented
Database	`NONE`	`NONE`	—	No direct database access

1 findings

🔗

Medium External URL 外部 URL

https://twitter.com/xxx

references/workflow-apply-column.md:30

File Tree

7 files · 11.3 KB · 311 lines

Markdown 6f · 304L YAML 1f · 7L

├─ ▾ 📁 agents

│ └─ 📋 openai.yaml YAML 7L · 438 B

├─ ▾ 📁 references

│ ├─ 📝 workflow-apply-column.md Markdown 37L · 1.2 KB

│ ├─ 📝 workflow-manage.md Markdown 25L · 712 B

│ ├─ 📝 workflow-polish.md Markdown 35L · 1.4 KB

│ ├─ 📝 workflow-publish.md Markdown 78L · 2.1 KB

│ └─ 📝 workflow-revise.md Markdown 44L · 985 B

└─ 📝 SKILL.md Markdown 85L · 4.5 KB

Security Positives

✓ Session verification is required before any write operations

✓ Explicit user confirmation required before destructive actions (delete)

✓ Security guidance provided: session tokens should use environment variables, not command line

✓ On 401 response, skill halts and prompts user to refresh session

✓ No credential harvesting or exfiltration patterns detected

✓ No network IOCs (Indicators of Compromise) found - only legitimate PANews API calls

✓ No base64, eval, or obfuscated code patterns

✓ No sensitive filesystem path access (no ~/.ssh, ~/.aws, .env access)

✓ No remote script execution patterns (no curl|bash or wget|sh)

Scan Report

Findings 2 items

File Tree

Security Positives