Blog Content Publish
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly coherent with publishing blog content, but it also enables public content changes and bulk ClawHub skill syncs without clear approval or scoping safeguards.
Install only if you intend the agent to help publish or update blog content and possibly sync repository skills. Before real use, require the agent to show the dry-run result, list exactly which posts or skills will be changed, and wait for your explicit approval before publishing, updating, uploading, or running any `clawhub sync --all` command.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent following the skill could publish or alter public blog content once checks pass, which may affect the user's public site or organization reputation.
The skill can perform real public content publishing and updates. Dry-run quality gates are useful, but the visible instructions do not clearly require explicit user confirmation before the high-impact real publish/update step.
`blog-publish publish` and `blog-publish update` both accept JSON payload files and markdown files with frontmatter. ... Only proceed to real publish when dry-run is clean.
Require an explicit user approval step after dry-run output and before any real `publish` or `update`, and include rollback or revision guidance for changed posts.
The agent could push more skills than intended to ClawHub, including unreviewed or private repository content if the working directory contains it.
`clawhub sync --all` is a broad supply-chain action that may publish or update multiple repository skills. The artifact does not show path filters, preview/diff requirements, or explicit approval before syncing everything.
sync repository skills to ClawHub via clawhub sync --all ... Running batch skill sync to ClawHub.
Use explicit skill names or paths instead of `--all` by default, require a preview/diff, and ask for user confirmation before syncing to ClawHub.
The skill may act using the logged-in blog account, including listing, downloading, uploading, publishing, or updating content.
The skill uses an SSO login for the blog service. This is expected for a publishing tool, but it grants account authority and is not declared in the registry credential metadata.
`blog-publish login --api-base https://blog.misonote.com --sso-client-id misonote-blog-web --sso-redirect-uri https://blog.misonote.com/auth/callback`
Use a least-privileged account where possible, confirm which account is active with `whoami`, and avoid using production credentials unless the requested action requires them.
Installing the CLI gives the package code access to the user's local environment under the installing user's permissions.
The skill instructs installation of a global npm CLI package. This is central to the stated publishing workflow, but it executes third-party package code and is unpinned in the visible artifact.
`pnpm add -g @leeguoo/blog-publish`
Verify the npm package publisher and version, consider pinning a known-good version, and install in a controlled environment.