panews-creator 安全扫描报告 — 低风险 | ClawSafe

5 /100

panews-creator

Create and manage articles on the PANews platform with authenticated creator workflows

This is a documentation-only skill package for PANews article management with no executable scripts present. All declared capabilities are legitimate content publishing workflows with appropriate security guards documented.

技能名称panews-creator

分析耗时33.0s

引擎pi

✓

可以安装

This skill is safe to use as documented. However, the referenced CLI scripts (scripts/cli.mjs) are not included in the package, so the skill as delivered is incomplete and non-functional.

安全发现 2 项

严重性	安全发现	位置
低危	Missing CLI Implementation SKILL.md references scripts/cli.mjs with available commands (validate-session, list-articles, create-article, etc.) but no scripts directory or implementation files are included in the package. The skill is documentation-only and non-functional as delivered. `node {Skills Directory}/panews-creator/scripts/cli.mjs <command> [options]` → Include the actual CLI implementation if this skill is meant to be functional, or clarify that this is a documentation-only package.	`SKILL.md:49`
低危	Placeholder URL in Example A placeholder Twitter URL 'https://twitter.com/xxx' appears in workflow-apply-column.md example commands. `https://twitter.com/xxx` → This is a minor documentation placeholder, not a security concern.	`references/workflow-apply-column.md:30`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file operations in documentation
网络访问	`READ`	`READ`	✓ 一致	API calls to PANews platform are declared and documented
命令执行	`NONE`	`NONE`	—	CLI script referenced but not present
环境变量	`READ`	`READ`	✓ 一致	PA_USER_SESSION environment variable for authentication
技能调用	`NONE`	`NONE`	—	No cross-skill invocation detected
剪贴板	`NONE`	`NONE`	—	No clipboard access documented
浏览器	`NONE`	`NONE`	—	No browser automation documented
数据库	`NONE`	`NONE`	—	No direct database access

1 项发现

🔗

中危外部 URL 外部 URL

https://twitter.com/xxx

references/workflow-apply-column.md:30

目录结构

7 文件 · 11.3 KB · 311 行

Markdown 6f · 304L YAML 1f · 7L

├─ ▾ 📁 agents

│ └─ 📋 openai.yaml YAML 7L · 438 B

├─ ▾ 📁 references

│ ├─ 📝 workflow-apply-column.md Markdown 37L · 1.2 KB

│ ├─ 📝 workflow-manage.md Markdown 25L · 712 B

│ ├─ 📝 workflow-polish.md Markdown 35L · 1.4 KB

│ ├─ 📝 workflow-publish.md Markdown 78L · 2.1 KB

│ └─ 📝 workflow-revise.md Markdown 44L · 985 B

└─ 📝 SKILL.md Markdown 85L · 4.5 KB

安全亮点

✓ Session verification is required before any write operations

✓ Explicit user confirmation required before destructive actions (delete)

✓ Security guidance provided: session tokens should use environment variables, not command line

✓ On 401 response, skill halts and prompts user to refresh session

✓ No credential harvesting or exfiltration patterns detected

✓ No network IOCs (Indicators of Compromise) found - only legitimate PANews API calls

✓ No base64, eval, or obfuscated code patterns

✓ No sensitive filesystem path access (no ~/.ssh, ~/.aws, .env access)

✓ No remote script execution patterns (no curl|bash or wget|sh)