Ghost CMS
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: ghost-cms Version: 0.1.8 The OpenClaw AgentSkills skill bundle for Ghost CMS is classified as benign. It demonstrates a strong commitment to security through extensive input validation, secure credential handling, and clear risk communication. Key security features include robust path traversal prevention in `scripts/ghost-api.js`, `scripts/ghost-crud.js`, `scripts/snippet-extractor.js`, `scripts/theme-manager.js`, and `snippets/ghost-snippet.js`. File system operations are restricted to the current working directory or a securely initialized external snippet library (`~/.local/share/ghost-snippets/` with `0o700` permissions). The `SKILL.md` explicitly declares high-risk capabilities like 'destructive-operations' and 'public-publishing', and crucially sets `disable-model-invocation:true` to prevent autonomous agent execution, requiring explicit user commands for sensitive actions. Documentation is comprehensive, transparently outlining security warnings, best practices, and recovery procedures.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-eager agent action could publish content, delete data, change subscribers, moderate public comments, or alter site administration.
This shows broad Ghost Admin API mutation and public-publishing authority. It is purpose-aligned and disclosed, but the registry metadata indicates model invocation is not disabled and capability tags were not derived, so these high-impact actions are not clearly bounded by enforced user control.
Destructive Operations ... Create/update/delete posts, pages, tags ... Publish/unpublish/schedule posts (makes content public) ... Create/update/delete members, tiers, newsletters ... All POST, PUT, DELETE requests
Require explicit user confirmation for every publish, delete, user/member, billing/tier, webhook, and settings change; ensure the registered capability and invocation metadata matches the documented safety model.
Users may believe the platform enforces explicit invocation when the submitted registry metadata does not show that protection.
This documented security claim conflicts with the registry flags supplied for the skill, which say disable-model-invocation is false and the agent can invoke the skill autonomously.
Autonomous invocation disabled - Requires explicit user commands
Fix the published metadata so autonomous invocation is actually disabled, or remove the claim and document exactly when the agent may invoke the skill.
Anyone or any agent action using this key can read and modify content, users, members, comments, settings, and public publishing state.
The credential requirement is expected for Ghost Admin API management and is clearly disclosed, but it grants complete site authority.
Ghost Admin API keys provide FULL access to your Ghost site ... Admin API keys have no scoping options ... There are no read-only keys.
Use a dedicated Ghost integration key, prefer staging for testing, store it securely, rotate it regularly, and revoke it immediately if the skill is removed or no longer trusted.
If used, a webhook could keep sending Ghost events to an external destination after the immediate task is complete.
Webhook management is documented as part of the API coverage. Creating or updating webhooks can establish persistent external data flows, so users should notice this boundary even though it is part of comprehensive Ghost administration.
| Webhooks | List (GET) | Create (POST), Update (PUT), Delete (DELETE) | External integrations |
Treat webhook creation or modification as a high-impact action requiring explicit approval, destination review, and later cleanup verification.
You may run local Node code and npm dependencies that are not represented by a formal install spec in the registry metadata.
The artifact set includes runnable scripts and npm setup, but the registry install/provenance metadata is incomplete. This is a supply-chain review note, not evidence of malicious behavior.
Source: unknown ... No install spec — this is an instruction-only skill ... Code file presence 9 code file(s)
Review the repository, scripts, package.json, and package-lock before installation, and publish a proper install spec that matches the documented npm setup.