ClawHub

Ghost Publishing Pro

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Ghost CMS publishing skill, but it needs Review because it exceeds its advertised Admin-API-only/no-browser boundary and includes high-impact live publishing and site-wide code-injection guidance.

Install only if you want an agent to manage a live Ghost site with a powerful, revocable Admin API key. Require explicit approval before publishing, emailing subscribers, deleting or bulk-changing content, forwarding member data to third parties, enabling cron/webhook automation, or touching site-wide code injection; keep the credential file private and out of version control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill is explicitly described as Admin-API-only, but the reference expands into public Content API usage and browser-based code injection workflows. That scope creep materially increases attack surface and makes it easier for an agent to justify actions outside the declared trust boundary, including site-wide script injection affecting all visitors.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
Although the text says code injection is owner-only and should not be run autonomously, it immediately provides concrete automation steps to modify site-wide JavaScript through the browser UI. In practice, this is enablement for persistence or malicious client-side code deployment, which could impact every site visitor and bypass the stated Admin-API-only limitation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The reference includes high-impact operations such as publishing posts that trigger email sends and deleting posts, but presents them as routine API examples without inline safety constraints or confirmation requirements. In an agentic context, that lowers friction for destructive or mass-notification mistakes that can damage content integrity and subscriber trust.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs users to store a high-privilege Ghost Admin API key in a predictable local file path and repeatedly use it in scripts, but provides no warning about protecting the file, limiting permissions, redacting output, or avoiding accidental disclosure. Because the Admin API key grants broad publishing and member-management capabilities, leakage could let an attacker publish content, alter site data, or access administrative functions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow encourages a single API action that both publishes a post and sends a newsletter to all subscribers, while emphasizing that it is 'ONE action' and hard to undo, but it does not pair that with strong safeguards or confirmation requirements. In an agent-driven environment, this increases the risk of accidental mass outbound communication, reputational damage, and irreversible distribution of incorrect or unsafe content.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal