Ghost Publishing Pro
v1.7.1Headless Ghost publishing. Write, audit, and automate your entire Ghost operation from your AI workflow — 16 workflows covering article publishing, batch imp...
⭐ 0· 287·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (headless Ghost publishing) matches what the skill does: it reads a Ghost Admin integration key, generates short-lived JWTs, and performs post, image, tag, member, and batch operations via the Ghost Admin API. Requiring Node and curl (and optionally an npm package for XML parsing during migrations) is proportionate.
Instruction Scope
All runtime instructions are limited to generating JWTs from the local credentials file (~/.openclaw/credentials/ghost-admin.json), calling the user’s Ghost domain, and optionally running local migration scripts. The instructions do not attempt to read unrelated system files, call external telemetry endpoints, or exfiltrate data to third parties.
Install Mechanism
This is an instruction-only skill with no install spec and no code files executed by the platform. That lowers the installation risk; the only third-party package is optional (fast-xml-parser) and explicitly limited to migration workflows.
Credentials
The skill requires a single local credential file containing the Ghost Admin integration key and the Ghost site URL and no unrelated environment variables or credentials. Requesting file access to a dedicated credentials file is proportionate for the stated purpose. The docs correctly recommend using a dedicated, revocable integration key rather than owner credentials.
Persistence & Privilege
No persistent privileged settings are requested: always is false, there is no install step that modifies other skills or system-wide settings, and the skill does not claim to persist tokens beyond short-lived JWTs.
Assessment
This skill appears coherent and limited to administering your Ghost site via a dedicated integration key. Before installing: 1) create and use a dedicated Ghost Admin integration key (not owner credentials) and store it at ~/.openclaw/credentials/ghost-admin.json with strict file permissions; 2) inspect any scripts (the Node token generator and migration scripts) locally before running them — the skill is instruction-only and expects you to copy/run these scripts yourself; 3) avoid committing the credentials file to version control or shared folders; 4) be mindful that generated JWTs are printed to stdout in examples — treat logs as sensitive and avoid pasting tokens into shared places; 5) revoke the integration in Ghost Admin if you ever suspect misuse. If you want extra assurance, run network traffic to verify API calls go only to your Ghost domain and not to third parties.Like a lobster shell, security has layers — review code before you run it.
cmsvk9741ag2vxp0tnahedphjq6e3n8334w6ghostvk9741ag2vxp0tnahedphjq6e3n8334w6latestvk978p6gc4xjxvv8m7nh8kc0z3n84bb00migrationvk9741ag2vxp0tnahedphjq6e3n8334w6newslettervk9741ag2vxp0tnahedphjq6e3n8334w6publishingvk9741ag2vxp0tnahedphjq6e3n8334w6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.