Security audit

Ghost Publisher

Security checks across malware telemetry and agentic risk

Overview

This is a transparent Ghost CMS publishing tool, but it can modify live posts, delete posts, upload media, and send newsletters when given Ghost admin credentials.

Install only if you want an agent or workflow to manage a Ghost site. Use a dedicated Ghost custom integration key, keep it out of logs and repositories, test against drafts or staging first, require human approval before publishing, emailing newsletters, or deleting posts, and restrict image inputs to trusted URLs or approved local files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill documentation declares required environment variables but does not declare permissions despite describing capabilities that read environment variables, read local files, write/update local or remote content, and perform network operations. This creates a transparency and policy-enforcement gap: callers may grant or execute a skill with broader effective capabilities than are explicitly surfaced, increasing the risk of unintended secret exposure or unauthorized external actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The `uploadImage(url_or_path, alt)` contract explicitly permits both remote URL fetching and local file path access without any security constraints. In an agent setting, this can enable SSRF against internal services or unintended local file reads if an untrusted caller can influence `url_or_path`, making the interface materially dangerous in context.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The README frames the skill as turning a broad natural-language intent like "publish this article" into a single call. In an agentic environment, that kind of loose trigger can cause unintended execution of externally visible actions if an agent maps ambiguous user text directly onto the publishing pipeline without confirmation.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README documents commands that create, publish, schedule, delete, and upload content to a live Ghost CMS, but it does not clearly warn that these operations are destructive and externally visible. In agent-driven workflows, this increases the risk of accidental publication, newsletter sends, or deletion of content on production sites.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The skill exposes delete operations in both the interface and CLI examples without an explicit warning, confirmation step, or note that deletion is irreversible. In an agentic setting, this increases the chance of accidental content destruction from prompt mistakes, automation bugs, or ambiguous operator intent, especially because the skill targets live CMS content.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal