Halo Blog
AdvisoryAudited by VirusTotal on Apr 15, 2026.
Overview
Type: OpenClaw Skill Name: halo-blog Version: 1.0.5 The skill bundle contains a shell script `scripts/md-to-html-post.sh` that is highly vulnerable to command injection. It interpolates shell variables (extracted from Markdown front matter) directly into a Python command string executed via `python3 -c`, which could lead to arbitrary code execution if a processed file contains a malicious title or slug. Additionally, the script and documentation (`references/publishing.md`) contain hardcoded references to a specific personal domain (`blog.codingshen.top`) and profile names (`blog-danke`), suggesting the bundle is either a non-generic personal tool or contains leftover configurations that could lead to unintended data being sent to a specific external site.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Opening or publishing a crafted Markdown file with this helper script could run commands on the user's machine under their account.
Values taken from the Markdown file and command-line profile are inserted directly into Python source code passed to python3 -c. A quote or crafted value in title, slug, or profile can alter the Python code that runs locally.
TITLE=$(grep -m1 '^title:' "$MD_FILE" ...) SLUG=$(grep -m1 '^slug:' "$MD_FILE" ...) python3 -c "... '--profile', '$PROFILE', '--name', '$SLUG', '--title', '$TITLE', '--slug', '$SLUG', ..."
Do not run the helper script on untrusted Markdown. The script should pass values via arguments, environment variables, or JSON serialization instead of embedding them in Python code.
If used carelessly, the agent could change a live site, install server-side code, remove plugins, or download sensitive backup data.
The skill documents high-impact administrative operations, including plugin installation from URLs, bulk upgrades that skip confirmation, uninstall operations, and backup downloads.
halo plugin install --url https://example.com/plugin.jar halo plugin upgrade --all --yes halo plugin uninstall <name> --force halo backup download <name> --output ./backup.zip
Require explicit user confirmation before plugin/theme installs, bulk upgrades, deletes, force operations, public publishing, or backup downloads.
Anyone or any agent using the saved profile can perform actions allowed by that Halo token or account.
The skill requires Halo account credentials or tokens and stores credentials through the system keyring, which is expected for a blog-management CLI but grants significant authority.
halo auth login ... --auth-type bearer --token <your-token> ... --auth-type basic --username admin --password <your-password> ... 凭据:系统 keyring
Use the least-privileged token available, avoid sharing profiles, protect the local device, and delete profiles that are no longer needed.
Depending on the local npm/npx setup, this may run a locally installed or fetched package version that the skill review did not pin or verify.
The Markdown conversion helper invokes an npm package through npx without a pinned version in the skill artifacts.
if npx marked "$TMP_DIR/body.md" > "$TMP_DIR/body.html" 2>/dev/null; then
Install and pin the Markdown converter version explicitly, or use a reviewed local dependency instead of relying on unpinned npx execution.