Back to skill
Skillv1.0.0
VirusTotal security
Ghost-Writer Sync · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 10, 2026, 3:21 AM
- Hash
- 46be78cbe7f3a4fc75e4baf120bbf36c1f39485b610b64ba17779ff6c86e265e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ghost-writer-sync Version: 1.0.0 The skill bundle provides legitimate functionality for syncing blog posts but contains a critical shell injection vulnerability in SKILL.md. The tool execution commands (e.g., sync_posts, add_ghost) wrap user-provided arguments like 'config', 'vault', and 'api_key' in double quotes within a shell command template, allowing an attacker to execute arbitrary code via crafted inputs. Furthermore, the script requires Ghost Admin API credentials (id:secret format) while the documentation incorrectly labels them as Content API keys, potentially misleading users into providing higher-privilege access than intended.
- External report
- View on VirusTotal