Halo Blog
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches Halo blog administration, but its included Markdown publishing script can execute unsafe local Python built from Markdown metadata.
Use this only for a Halo instance you administer. Review every destructive, bulk, plugin/theme, backup, and publish action before approving it. Avoid the included md-to-html-post.sh helper until its Python interpolation is fixed, especially with Markdown files from other people.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Opening or publishing a crafted Markdown file with this helper script could run commands on the user's machine under their account.
Values taken from the Markdown file and command-line profile are inserted directly into Python source code passed to python3 -c. A quote or crafted value in title, slug, or profile can alter the Python code that runs locally.
TITLE=$(grep -m1 '^title:' "$MD_FILE" ...) SLUG=$(grep -m1 '^slug:' "$MD_FILE" ...) python3 -c "... '--profile', '$PROFILE', '--name', '$SLUG', '--title', '$TITLE', '--slug', '$SLUG', ..."
Do not run the helper script on untrusted Markdown. The script should pass values via arguments, environment variables, or JSON serialization instead of embedding them in Python code.
If used carelessly, the agent could change a live site, install server-side code, remove plugins, or download sensitive backup data.
The skill documents high-impact administrative operations, including plugin installation from URLs, bulk upgrades that skip confirmation, uninstall operations, and backup downloads.
halo plugin install --url https://example.com/plugin.jar halo plugin upgrade --all --yes halo plugin uninstall <name> --force halo backup download <name> --output ./backup.zip
Require explicit user confirmation before plugin/theme installs, bulk upgrades, deletes, force operations, public publishing, or backup downloads.
Anyone or any agent using the saved profile can perform actions allowed by that Halo token or account.
The skill requires Halo account credentials or tokens and stores credentials through the system keyring, which is expected for a blog-management CLI but grants significant authority.
halo auth login ... --auth-type bearer --token <your-token> ... --auth-type basic --username admin --password <your-password> ... 凭据:系统 keyring
Use the least-privileged token available, avoid sharing profiles, protect the local device, and delete profiles that are no longer needed.
Depending on the local npm/npx setup, this may run a locally installed or fetched package version that the skill review did not pin or verify.
The Markdown conversion helper invokes an npm package through npx without a pinned version in the skill artifacts.
if npx marked "$TMP_DIR/body.md" > "$TMP_DIR/body.html" 2>/dev/null; then
Install and pin the Markdown converter version explicitly, or use a reviewed local dependency instead of relying on unpinned npx execution.