ClawHub

Ghost CMS Agent

v1.0.0

Manage Ghost CMS content via the REST API. Create and publish posts, manage tags, and fetch site analytics. Supports both the Content API (public data) and A...

0· 78·0 current·0 all-time
by@kryzl19
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (manage Ghost posts, tags, and stats) matches the included scripts (new-post, posts, tags, stats). Required env vars GHOST_URL and GHOST_ADMIN_API_KEY are appropriate for the Admin API operations performed.
Instruction Scope
SKILL.md and scripts confine actions to the Ghost Admin API endpoints on the configured GHOST_URL and do not attempt to read unrelated files or contact other external hosts. Minor inconsistency: SKILL.md mentions an optional GHOST_CONTENT_API_KEY, but none of the included scripts actually use that variable.
Install Mechanism
No install spec (instruction-only) which is low-risk. However, the scripts have runtime dependencies not declared in the registry metadata: they invoke curl, jq, column, xargs, tr, sed and other standard shell utilities. The manifest lists no required binaries; the skill should declare these dependencies so users know what will be executed.
Credentials
Requesting GHOST_ADMIN_API_KEY is proportionate to creating/publishing posts and managing tags. Note: the Admin API key is powerful (can modify site content and members). If you only need read-only operations, prefer using a Content API key or a scoped credential instead.
Persistence & Privilege
The skill does not request persistent/always-on inclusion and does not modify other skills or system config. It runs ad-hoc scripts that call the Ghost API; no additional privileges are requested.
Assessment
This skill's code is readable and does what it says: it calls your Ghost site using the provided GHOST_URL and GHOST_ADMIN_API_KEY. Before installing, consider: 1) The Admin API key grants full management rights—use a least-privilege key or a dedicated integration account if possible. 2) The manifest omits runtime CLI dependencies (jq, curl, column, xargs, sed, tr); ensure your environment provides these tools. 3) SKILL.md mentions an optional Content API key, but the scripts don't use it—if you only want read-only access, confirm the scripts won't use the Admin key in your workflow. 4) The skill owner is unknown; if you will run these scripts against a production site, review/verify the code or run in a safe test environment first.

Like a lobster shell, security has layers — review code before you run it.

blogvk972bgnm02pt87tg63ygj1grr183kr7ecmsvk972bgnm02pt87tg63ygj1grr183kr7eghostvk972bgnm02pt87tg63ygj1grr183kr7elatestvk972bgnm02pt87tg63ygj1grr183kr7epublishingvk972bgnm02pt87tg63ygj1grr183kr7e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

👻 Clawdis
EnvGHOST_URL, GHOST_ADMIN_API_KEY

Comments