ClawHub

Ghost CMS

Security checks across malware telemetry and agentic risk

Overview

This is a real Ghost CMS admin integration, but it needs review because it includes broad site-changing authority and one bundled script that can update a hard-coded post without confirmation.

Install only if you are comfortable giving the skill full Ghost Admin API authority. Use a staging Ghost site or dedicated integration key when possible, review all generated content before publishing or emailing subscribers, avoid running update-teapot.js, and keep exported member data or snippets outside version-controlled folders.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (19)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The instructions claim a JWT token is required, but the example actually sends the raw Ghost Admin API key directly in the Authorization header. This can cause users to handle secrets incorrectly, fail authentication, and normalize placing long-lived admin credentials directly into commands and logs, increasing exposure risk for a highly privileged key.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation strongly recommends storing snippets outside the repository for safety, then later provides examples that write snippet content into repo paths. That inconsistency can lead users to place Ghost-derived content in version-controlled locations, increasing the risk of accidental commits, exposure of unpublished/editorial content, and leakage across collaborators or public repositories.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The example trigger encourages automatic generation and immediate publication of public content from an open-ended prompt. In the context of Ghost Admin API keys with full-site privileges, this can lead to accidental public posting, reputational harm, or abuse if the agent acts on ambiguous or unreviewed instructions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This example exports subscriber data including email addresses, names, creation dates, and status directly to a local CSV file without any warning about handling personal data. In an agent skill context, users may run the command verbatim and unintentionally create an unencrypted local copy of member PII that can persist on disk, be synced to cloud storage, or be exposed to other local users/processes.

Missing User Warnings

Low
Confidence
81% confidence
Finding
This example writes analytics and content metadata to a local CSV file without informing the user that the data will persist on disk. Although the exported fields are less sensitive than subscriber PII, local persistence can still leak internal publishing and engagement data through shared machines, backups, logs, or cloud-synced folders.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document provides direct instructions for publishing, scheduling, and updating Ghost content through the Admin API without an explicit warning that these actions can affect live production content. In an agent skill context, this increases the risk of accidental destructive or unauthorized changes because an automation may treat the examples as safe defaults and execute state-changing operations against a real site.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples show use of the Ghost Admin API key in an Authorization header but do not warn about secret handling, log exposure, shell history leakage, or shared-terminal risks. In practice, documentation like this is often copied verbatim into scripts, notebooks, CI logs, or debugging output, which can expose high-privilege credentials.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation includes a direct member deletion example without any caution about irreversibility, backup, or confirming the target identity first. In an admin-facing skill for managing real subscribers, this materially increases the chance of accidental destructive actions against production member data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The bulk import workflow processes member emails and names from CSV and transmits them to the Ghost Admin API, but it omits privacy, consent, and secure-handling guidance for personal data. This can lead to unauthorized import of PII, mishandling of subscriber data, or use of unvetted source files in regulated environments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The bulk label update example modifies many member records in a loop with no warning about scope, rollback difficulty, or dry-run validation. In a production membership system, a bad filter or malformed label merge can silently alter segmentation and downstream communications for the entire user base.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
These examples show how to publish or schedule posts that can immediately trigger outbound email to subscribers, but they do not prominently warn that these actions may send bulk messages to real users. In an agent skill context, this increases the risk of accidental mass emailing, reputational damage, and unwanted subscriber contact if an automation follows the examples without explicit human confirmation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The member update examples modify newsletter subscriptions and can replace or clear a user's existing preferences, including unsubscribing them from all newsletters. Without a clear warning, an agent or operator may unintentionally alter subscriber consent state, creating compliance, trust, and operational risks.

Missing User Warnings

High
Confidence
98% confidence
Finding
The migration workflow performs bulk changes to member newsletter subscriptions at scale, yet it lacks a warning about mass preference modification and the risk of widespread unintended changes. In an automated setting, a mistake in IDs, filtering, or jq logic could silently affect large numbers of subscribers and create serious consent, deliverability, and reputational issues.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script automatically reads Ghost Admin API credentials from the user's local configuration directory at startup without any explicit consent, prompt, or disclosure. In an agent skill context, that behavior creates a credential-access capability that can be triggered implicitly, enabling unauthorized use of sensitive publishing credentials and making secret exfiltration or unintended authenticated actions more likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
`createHTMLCard(html)` directly embeds arbitrary HTML into Ghost Lexical content with no sanitization, validation, or trust boundary checks. In a CMS integration skill, this can enable stored XSS or unsafe content injection if untrusted input is passed through and later rendered in the admin UI, website, or email contexts depending on Ghost's downstream handling.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script silently reads local admin credentials and immediately uses them for authenticated remote requests without prompting, disclosure, or host validation. In an agent skill context, this is risky because a user or operator may not realize the skill accesses sensitive local secrets and transmits them to whatever URL is present in the local config, including a maliciously altered endpoint.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script performs an authenticated PUT to update a specific Ghost post and logs only after beginning the operation, with no dry-run mode, confirmation, or safety check. In a content-management skill, silent remote modification is dangerous because it can overwrite production content unexpectedly, especially when coupled with automatic credential loading.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README provides commands that save snippet data under repository paths without a nearby warning that this may store user-generated Ghost content in a version-controlled directory. In practice, users may copy-paste these commands and unintentionally commit private drafts, disclosures, member-related copy, or other sensitive editorial assets to source control.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The extraction example pipes Ghost post content directly into `snippets/library/my-snippet.json`, which appears to be a repo-local path, without an explicit data-exposure warning. Because extracted content may include unpublished text, internal boilerplate, or regulated disclosures, this creates a realistic accidental-leak path via commits, backups, or shared repositories.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal