Seo Blog Writer

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Ghost blog-writing and publishing workflow that uses local draft files and Ghost Admin API credentials in ways that match its stated purpose.

Install this only for agents you trust to draft and create Ghost posts. Configure a least-privilege Ghost integration if possible, keep GHOST_ADMIN_KEY out of git, review generated drafts before using --publish or --publish-at, and periodically clean tmp/blog-drafts if the drafts may contain private material.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill is designed to publish to external platforms and write local files, yet the top-level description does not prominently warn that it can perform side effects beyond drafting text. In agent environments, broad activation plus underemphasized side effects can lead to unintended publication, credential use, or filesystem modifications when a user only expected content generation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal