Panews
v0.2.2Entry point for reading PANews cryptocurrency / blockchain news and market narratives. Triggers: today's headlines, breaking news, trending rankings, article...
⭐ 0· 263·0 current·0 all-time
bySeven Du@medz
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (PANews reader) align with the workflows and the included CLI commands (list-articles, get-article, search-articles, get-hooks, etc.). No environment variables, binaries, or config paths are requested that would be unrelated to a news-reader skill.
Instruction Scope
SKILL.md restricts content to PANews reporting and provides explicit, scoped workflows for searches, briefings, and article reads. However it instructs the agent to execute a local Node CLI (node {Skills Directory}/panews/scripts/cli.mjs). Running that CLI gives the skill the ability to execute arbitrary JS on the host environment (network I/O, file access, environment access) — which is consistent with fetching news but broad in practice. The SKILL.md also contains a detected 'unicode-control-chars' injection signal, meaning there may be invisible characters in the text that could be hiding instructions or manipulations; that is unexpected for a normal documentation file.
Install Mechanism
No install spec (instruction-only) and the JS CLI is bundled inside the skill (scripts/cli.mjs). Bundling the executable is fine for an instruction-driven skill, but because the CLI is a large executable that will run locally, reviewers should inspect it for network endpoints, file I/O, or child_process usage. There are no external download URLs or extract steps, which reduces supply-chain risk.
Credentials
The skill declares no required environment variables, no primary credential, and no config paths. That is proportionate for a read-only news reader. However, running the bundled CLI could still access process.env or local files if its code chooses to — the SKILL.md does not request or justify any secrets.
Persistence & Privilege
always is false and the agent policy allows implicit invocation (allow_implicit_invocation: true) which is typical for skills. The skill does not request elevated or persistent system-level privileges in the metadata. There is no install step that modifies other skills or system configuration.
Scan Findings in Context
[unicode-control-chars] unexpected: SKILL.md contained unicode control characters. These are not expected in normal documentation and can be used to hide or obfuscate content (prompt-injection attempts). Recommend viewing the raw file with hidden characters revealed before trusting the skill.
What to consider before installing
This skill appears to be a coherent PANews reader: the SKILL.md workflows and bundled CLI implement article search, rankings, events, and briefings. However, before installing: 1) Inspect scripts/cli.mjs in full for network endpoints, calls to eval/child_process, direct fs reads, or usages of process.env — look for 'fetch', 'https', 'http', 'require("child_process")', 'exec', 'spawn', 'fs.readFile', and direct references to process.env keys. 2) Open SKILL.md in a text editor that can reveal invisible characters (zero-width/Unicode control chars) and remove or verify them — the scan flagged such characters. 3) Prefer running the CLI in a restricted sandbox first (no secrets, network controls) to observe behavior. 4) If you do not trust the publisher or cannot review the CLI code, do not enable autonomous invocation or install the skill. 5) Ask the publisher for source repository or homepage and a signed release; absence of an authoritative source reduces trust. If you want, I can scan the full CLI text for suspicious patterns (network calls, exec, env usage) — provide the full file content and I will analyze it.scripts/cli.mjs:19
Potential obfuscated payload detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latest
This is the core PANews reading skill for users who want to follow cryptocurrency and blockchain news through PANews coverage. Use it for market-moving headlines, project and token updates, rankings, deep dives, topics, columns, series, events, and editorial picks.
It is best suited for structured news discovery and explanation. The skill should help users understand what is happening, why it matters, and where to keep reading, while staying accessible to readers who may not be technical.
Common User Phrases
- "What are the biggest crypto stories today?"
- "Can you find coverage about Bitcoin, Solana, or this project?"
Capabilities
| Scenario | Trigger intent | Reference |
|---|---|---|
| Today's briefing | What's the big news today? What's happening in crypto? | workflow-today-briefing |
| Search | Search for XX / find reports about XX | workflow-search |
| Deep dive | What's going on with Bitcoin / a project / an event lately? | workflow-topic-research |
| Read an article | User provides an article URL or ID | workflow-read-article |
| Discover trending | What is everyone talking about right now? | workflow-trending |
| Latest news | Breaking news / what just happened | workflow-latest-news |
| Browse columns | What columns are there / this author's column | workflow-columns |
| Browse series | Any series coverage on XX | workflow-series |
| Browse topics | What do people think about XX / what's the community discussing | workflow-topics |
| Events | Any recent summits / hackathons / activities | workflow-events |
| Event calendar | Important events this month / project schedule | workflow-calendar |
| Platform picks | What is the editor recommending / what are the hot searches | workflow-hooks |
General principles
- Do not predict price movements or give investment advice
- Content strictly from PANews - do not add information PANews has not reported
- For publishing content, use the panews-creator skill
Execution guidance
- Use judgment for open-ended discovery tasks such as briefings, topic research, and trend summaries. Multiple valid paths are acceptable if the result stays grounded in PANews coverage.
- Be more specific for fragile tasks:
- If the user provides an article URL or ID, resolve the article directly instead of broadening into generic search.
- If the task is rankings, events, calendar items, or platform picks, use the most direct matching workflow instead of combining unrelated workflows first.
- If PANews coverage is weak or missing, say so directly rather than filling gaps with outside knowledge.
Language
All CLI commands support --lang, accepting standard locale strings (e.g. zh, en, zh-TW, en-US, ja-JP), automatically mapped to the nearest supported language. If omitted, the system locale is auto-detected. Match --lang to the user's question language.
Scripts
scripts/cli.mjs: unified entrypoint for PANews reader commands
node {Skills Directory}/panews/scripts/cli.mjs <command> [options]
When unsure about parameters, check with --help first:
node {Skills Directory}/panews/scripts/cli.mjs --help
node {Skills Directory}/panews/scripts/cli.mjs <command> --help
Available commands:
list-articles List latest articles by type
get-daily-must-reads Get daily must-read articles
get-rankings Get article hot rankings (daily: 24h hot | weekly: 7-day search trending)
search-articles Search articles by keyword
get-article Get full article content by ID
list-columns List or search PANews columns
get-column Get column details and recent articles
list-series List or search PANews series
get-series Get series details and articles
list-topics List or search PANews topics
get-topic Get topic details and latest comments
list-events List PANews events / activities
list-calendar-events List PANews calendar events
get-hooks Fetch PANews hooks / injection-point data by category
Comments
Loading comments...