Skillv1.0.0

ClawScan security

Halo博客管理，文章发布 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 10:00 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly does what it claims (publish/list/delete Halo posts) but there are important inconsistencies and a risky default that could cause your personal token to be sent to a third party if you don't override HALO_URL.
Guidance: This skill appears to implement Halo publish/list/delete correctly, but do not install or run it until you verify a few things: 1) The package metadata should declare HALO_TOKEN (and optionally HALO_URL) as required — treat HALO_TOKEN as a secret. 2) Edit halo.js (or ensure you set HALO_URL) so it does NOT default to 'https://yingdong.top' — that default will cause any HALO_TOKEN you export to be sent to that domain. 3) Install from a trusted registry (the package-lock uses an http Tencent mirror; prefer official npm registry) and run npm audit. 4) Inspect @halo-dev/api-client source/package (verify its integrity and that it points to the real Halo client). 5) When testing, use a limited-scope or throwaway token first. If the author updates metadata to declare required env vars and removes or changes the unsafe default HALO_URL, this would reduce the main concerns.

Review Dimensions

Purpose & Capability: concernThe name/description match the code (uses @halo-dev/api-client and axios to create, update, publish, list, delete posts). However the registry metadata lists no required environment variables or primary credential, while both SKILL.md and the code require HALO_TOKEN (and recommend HALO_URL). Metadata should declare HALO_TOKEN as a required credential.
Instruction Scope: concernSKILL.md instructs the user to set HALO_URL and HALO_TOKEN and to run npm install and the CLI — that matches the code. But the code has a hardcoded default HALO_URL = 'https://yingdong.top'. If a user sets HALO_TOKEN but forgets to set HALO_URL, the token will be sent to that default host. SKILL.md does not warn about this risky default.
Install Mechanism: noteThere is no automated install spec; installation is manual via npm install (documented in SKILL.md). Dependencies come from npm (package-lock.json). Resolved URLs in package-lock use a Tencent mirror over http which is unusual and could be a security concern (integrity fields exist, but http mirrors can be risky). No arbitrary remote archive/extract steps are present in the skill itself.
Credentials: concernThe skill legitimately requires a Halo Personal Access Token (HALO_TOKEN) and the blog URL (HALO_URL). Those are proportionate to the stated purpose — but they are not declared in the skill metadata. The hardcoded default HALO_URL pointing to a third-party domain means a user-supplied HALO_TOKEN could be accidentally sent to that domain, which is a high-risk mismatch between declared requirements and actual behavior.
Persistence & Privilege: okThe skill does not request persistent 'always' inclusion and does not modify other skills or system-wide settings. It runs as a CLI when invoked; normal autonomous invocation flags are default and not excessive here.