ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Halo Blog

v1.0.5

Use when managing a Halo blog instance via CLI, including authentication, posts, pages, themes, plugins, attachments, backups, comments, moments, notificatio...

0· 87·0 current·0 all-time
byAlexShen@alex-shen1121

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for alex-shen1121/halo-blog.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Halo Blog" (alex-shen1121/halo-blog) from ClawHub.
Skill page: https://clawhub.ai/alex-shen1121/halo-blog
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: halo
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install halo-blog

ClawHub CLI

Package manager switcher

npx clawhub@latest install halo-blog
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description ask for a Halo CLI helper and the skill only requires the 'halo' binary and documents using the @halo-dev/cli npm package and related CLI commands. Files and examples (posts, themes, attachments, backups, comments, search) are coherent with Halo blog administration.
Instruction Scope
SKILL.md and reference docs instruct the agent/user to run halo CLI commands, convert Markdown to HTML (via npx marked or local tools) and run small helper scripts. This is within scope. Notes of caution: (1) publishing.md and references describe generating/uploading cover images and instruct confirming generated images in the current conversation — if an agent automates that step it could send generated images or content to whatever endpoint the agent uses; (2) operations/publishing allow installing/upgrading themes/plugins from arbitrary URLs and provide flags like --yes/--force to skip confirmations, which is expected but potentially dangerous if used non-interactively.
Install Mechanism
There is no automatic install spec (instruction-only). SKILL.md advises 'npm install -g @halo-dev/cli' and uses 'npx marked' for conversion — both will fetch packages from the npm registry at install/run time. This is proportional to the task (Markdown conversion and CLI install) but implies network downloads from npm which the user should vet.
Credentials
The skill requests no environment variables or credentials. References explain where Halo stores config (~/.config/halo/config.json) and the system keyring, which is expected for a CLI tool. No unexpected secrets or unrelated environment access is requested.
Persistence & Privilege
always is false, the skill is user-invocable and can be called autonomously (platform default). The skill doesn't request persistent system modifications beyond running the halo CLI (which will manage its own config). The included script uses temporary directories and cleans up after itself.
Scan Findings in Context
[pre-scan:none-detected] expected: No static scan findings were detected. This is consistent with an instruction-focused skill that mostly runs a separate CLI binary.
Assessment
This skill appears to do what it says: it wraps and documents the Halo CLI and includes a helper script to publish Markdown. Before installing/using: (1) verify the source of the @halo-dev/cli npm package (check the npm registry/homepage) and ensure you trust the halo binary you install; (2) be aware npm/npx will download packages at install/run time; (3) avoid running destructive or non-interactive commands (plugin/theme install from arbitrary URLs, --yes/--force) unless you trust the target URL and know the effect; (4) protect your Halo credentials (they live in ~/.config/halo and the system keyring) and do not paste them into untrusted places; (5) the helper script prints a hardcoded example domain (blog.codingshen.top) in its output — that is just a placeholder and not contacted by the script. If you want higher assurance, review the @halo-dev/cli package and run commands in a sandboxed environment first.

Like a lobster shell, security has layers — review code before you run it.

Plugin bundle (nix)
Skill pack · CLI binary · Config
SKILL.mdCLIConfig
CLI help (from plugin)
halo --help

Runtime requirements

Binshalo
blogvk970xejdwqgqtz8z70bm29ytqh84xhxqclivk970xejdwqgqtz8z70bm29ytqh84xhxqcontent-managementvk970xejdwqgqtz8z70bm29ytqh84xhxqhalovk970xejdwqgqtz8z70bm29ytqh84xhxqlatestvk970xejdwqgqtz8z70bm29ytqh84xhxq
87downloads
0stars
6versions
Updated 1w ago
v1.0.5
MIT-0
AlexShen@alex-shen1121
blogclicontent-managementhalolatest
Download

Halo Blog CLI Skill

A command-line tool skill for managing Halo blog instances.

Installation

npm install -g @halo-dev/cli

Verify:

halo --version
halo --help

Requirements: Node.js >= 22

Quick Start

  1. Authenticate (see references/auth.md):

    halo auth login --profile local --url http://127.0.0.1:8090 --auth-type bearer --token <token>

  2. Create a post from Markdown (see content.md for full format rules):

    halo post import-markdown --file ./article.md --force

    Markdown files are automatically converted to HTML by default; if conversion fails, falls back to raw Markdown import.

  3. List posts:

    halo post list

Command Areas

AreaCommandsReference
Authenticationhalo auth *auth.md
Publishing RulesMarkdown → HTML workflow, front matter, visibility checkspublishing.md
Posts & Pageshalo post *, halo single-page *content.md
Themes, Plugins, Attachments, Backups, Momentshalo theme *, halo plugin *, halo attachment *, halo backup *, halo moment *operations.md
Comments & Notificationshalo comment *, halo notification *moderation.md
Public Searchhalo search *search.md

Shared Conventions

  • Profile selection: Use --profile <name> when working with multiple Halo instances.
  • JSON output: Use --json for scripted or automated workflows.
  • Non-interactive safety: Destructive commands (delete, uninstall, overwrite imports) usually require --force when run non-interactively.
  • Basic Auth requirement: If using basic auth instead of bearer token, ensure Halo is started with --halo.security.basic-auth.disabled=false.

Common Workflows

Switch between environments

halo auth profile list
halo auth profile use production

Export and import a post

halo post export-json my-post --output ./post.json
halo post import-json --file ./post.json --force

Publish via Markdown file

halo post import-markdown --file ./article.md --force

Upgrade all App Store themes/plugins

halo theme upgrade --all
halo plugin upgrade --all --yes

Search public content without login

halo search --keyword "halo" --url https://www.halo.run

Troubleshooting

  • Login fails with anonymous user: Basic auth is likely disabled on the Halo server. Add --halo.security.basic-auth.disabled=false to Halo startup flags.
  • Credential issues: Run halo auth profile doctor to diagnose keyring/config problems.
  • Profile not found: Ensure --profile matches an existing profile from halo auth profile list.

Comments

Loading comments...