ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tistory API CLI

v0.1.1

터미널에서 Tistory 블로그 글 읽기, 수정, 삭제, 카테고리 조회, 이미지 업로드를 지원하며 한국어 에러 메시지를 제공하는 비공식 CLI툴입니다.

0· 92·0 current·0 all-time
byChloe Park@chloepark85

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for chloepark85/tistory-api-cli.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Tistory API CLI" (chloepark85/tistory-api-cli) from ClawHub.
Skill page: https://clawhub.ai/chloepark85/tistory-api-cli
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install tistory-api-cli

ClawHub CLI

Package manager switcher

npx clawhub@latest install tistory-api-cli
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to be a Tistory CLI (read/update/delete posts, categories, upload images) which legitimately requires a Tistory access token and blog identifier, but the registry metadata declares no required environment variables or primary credential. This mismatch between declared requirements and the SKILL.md content is incoherent and should be resolved.
Instruction Scope
The SKILL.md contains focused runtime instructions (install via pipx/uv/pip, example CLI commands) and does not instruct the agent to read unrelated system files or exfiltrate data. However, it references environment variables (TISTORY_ACCESS_TOKEN, TISTORY_BLOG_NAME) that are not reflected in the metadata, which expands runtime scope with undeclared secrets.
Install Mechanism
This is an instruction-only skill (no install spec). The README suggests installation via pipx/uv/pip from PyPI, which is a standard mechanism for Python CLIs. No high-risk download URLs or extract/install steps are present in the SKILL.md.
!
Credentials
The SKILL.md lists TISTORY_ACCESS_TOKEN and TISTORY_BLOG_NAME as environment variables used 'if needed', but the skill metadata does not declare any required env vars or primary credential. Requesting an API token to operate is proportionate to the stated purpose, but the omission from metadata reduces transparency and prevents platform-level controls (e.g., prompting the user for the right secret).
Persistence & Privilege
The skill does not request always:true, has no declared config paths, and is not installer-backed in the skill package. It does not request elevated persistent presence or permission to modify other skills or system-wide settings.
What to consider before installing
This skill appears to be a legitimate CLI for Tistory, but there are two red flags: the source/homepage is unknown and the SKILL.md mentions environment variables (TISTORY_ACCESS_TOKEN, TISTORY_BLOG_NAME) that are not declared in the skill metadata. Before installing or granting secrets: 1) Locate and inspect the package source (PyPI project page or GitHub repo) and review the code that handles your access token. 2) Prefer installing in a sandbox or disposable environment (container or VM) and inspect network activity during first use. 3) Do not paste your TISTORY_ACCESS_TOKEN on public places; provide it only via secure environment-variable mechanisms. 4) Ask the publisher to update the skill metadata to declare required env vars/primary credential and provide a verifiable homepage/source. If you cannot verify the package/source, treat it as untrusted.

Like a lobster shell, security has layers — review code before you run it.

blogvk97b9y68cdpjqkgs7jwyp9y0qd854rqtclivk97b9y68cdpjqkgs7jwyp9y0qd854rqtlatestvk97b9y68cdpjqkgs7jwyp9y0qd854rqttistoryvk97b9y68cdpjqkgs7jwyp9y0qd854rqt
92downloads
0stars
1versions
Updated 1w ago
v0.1.1
MIT-0
Chloe Park@chloepark85
blogclilatesttistory
Download

Tistory API CLI

Tistory 블로그를 터미널에서 제어하기 위한 경량 CLI이다. 글 읽기/수정/삭제와 카테고리 조회, 이미지 첨부 POST를 지원한다. 요청/응답 스키마를 검증하고, 에러 메시지를 한국어로 안내한다. Python 런타임이 없는 환경을 고려해 uv/pipx 기반 설치 가이드를 제공하며, pytest 단위 테스트와 GitHub Actions CI를 포함한다. PyPI 배포(tistory-api-cli)를 고려해 pip 설치 경로를 제공한다.

무엇이 새로운가 — v0.1.1

  • SKILL.md 메타데이터 반영 및 태그(latest) 유지
  • 기능 보강
    • 읽기(read-post), 수정(update), 삭제(delete), 카테고리 조회 추가
    • 파일 첨부(이미지) POST 지원
    • 요청/응답 스키마 검증 및 에러 메시지 국문화
  • 안정성/품질
    • Python 런타임 미존재 환경 고려한 설치 가이드(uv/pipx) README 보강
    • pytest 기반 단위 테스트(가짜 응답 fixture) 및 GitHub Actions CI 추가
    • PyPI 배포(tistory-api-cli) 고려해 pip 설치 경로 제공
  • 확장 계획
    • Velog용 별도 스킬(velog-cli) 리서치/스펙 작성(블로그/시리즈 CRUD, 태그/검색)
    • 한·영 혼용 문서와 예시 강화로 해외 사용자 접근성 개선

설치

  • pipx
    • pipx install tistory-api-cli
  • uv
    • uv tool install tistory-api-cli
  • pip (권장도 낮음)
    • pip install tistory-api-cli

사용 예시

  • 글 조회: tistory-cli read --post-id 12345
  • 글 수정: tistory-cli update --post-id 12345 --title "제목" --content @body.md
  • 글 삭제: tistory-cli delete --post-id 12345
  • 카테고리 조회: tistory-cli categories
  • 이미지 업로드: tistory-cli upload-image ./image.png

환경 변수(필요 시)

  • TISTORY_ACCESS_TOKEN: Tistory API 토큰
  • TISTORY_BLOG_NAME: 기본 블로그 식별자

링크

  • GitHub: 제공 예정

라이선스

MIT-0

Comments

Loading comments...