Halo博客管理，文章发布

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This Halo blog tool mostly matches its stated purpose, but it can send your access token to a hard-coded default site if misconfigured and can delete the first matching post without confirmation.

Only install this if you understand the Halo API access it gets. Before use, set HALO_URL explicitly to your own blog, use a least-privilege HALO_TOKEN, verify the npm dependencies, and avoid using the delete command unless you have confirmed the exact post to remove.

Static analysis

Env credential access

Critical

Finding: Environment variable access combined with network send.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse

High

What this means

If a user sets HALO_TOKEN but forgets or mistypes HALO_URL, the token could be sent to an unintended site, potentially exposing control over the blog account.

Why it was flagged

The code sends the user's personal access token as a bearer token to HALO_URL, but if HALO_URL is missing it defaults to a hard-coded external domain.

Skill content

const HALO_URL = process.env.HALO_URL || 'https://yingdong.top';
const HALO_TOKEN = process.env.HALO_TOKEN;
...
'Authorization': `Bearer ${HALO_TOKEN}`

Recommendation

Require an explicit HALO_URL, remove the hard-coded default, declare HALO_TOKEN/HALO_URL in metadata, and recommend a least-privilege token.

#ASI02: Tool Misuse and Exploitation

Medium

What this means

A vague keyword or autonomous agent choice could delete the wrong blog post or remove content the user intended to keep.

Why it was flagged

The delete command searches by keyword, takes the first match, and deletes it without showing all matches or asking for confirmation.

Skill content

const postName = data.items[0].post.metadata.name;
await consoleApiClient.content.post.deletePostContent({ name: postName });

Recommendation

Require an exact post ID or slug, display the matched post, and ask for explicit confirmation before deleting.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Dependency installation depends on an external mirror; integrity hashes reduce but do not eliminate supply-chain and provenance concerns.

Why it was flagged

The dependency is locked with an integrity hash, but the resolved package source uses an HTTP mirror rather than HTTPS.

Skill content

"resolved": "http://mirrors.tencentyun.com/npm/@halo-dev/api-client/-/api-client-2.22.0.tgz",
"integrity": "sha512-gJKJWQxG2nzcANrRddED9P0pefmdanWm0+kV3cgGrtqnF6ULnckB4KIKUPmMOwdCBg1QEPQ30Txc9AfYwlu4kQ=="

Recommendation

Use HTTPS package sources, keep the lockfile, and install only after reviewing the package provenance.