ghost cms
v1.0.5Manage Ghost CMS blog posts via Admin API. Supports creating, updating, deleting, and listing posts. Use when the user needs to programmatically manage Ghost...
⭐ 2· 1.5k·2 current·2 all-time
bymanifold@manifoldor
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (Ghost Admin API client) match the included code and instructions. The skill expects a JSON config file containing api_url and admin_api_key rather than environment variables; that is a legitimate design choice but differs from many skills that declare required env vars. Some sample paths and a hardcoded domain ('fu-ye.com') appear to be leftover from the original author's environment and are not necessary for general use.
Instruction Scope
SKILL.md and the code keep to Ghost management tasks (create/update/delete/list posts, upload images). The runtime instructions explicitly require a user-provided JSON config file and instruct installing only requests and pyjwt. The code will download remote images when given external image URLs (to re-upload them) which is consistent with the stated 'localize upload' behavior; this means the script can make arbitrary outbound HTTP GET requests for images if the user supplies external URLs.
Install Mechanism
There is no automated install spec; the skill is instruction-and-script only. Dependencies are installed via pip as documented in SKILL.md (requests, pyjwt). No downloads from untrusted arbitrary URLs or archive extraction were found in the provided files.
Credentials
The skill requests no platform environment variables, relying instead on a local JSON config file containing the Admin API Key (id:secret). That is proportionate to the stated purpose. However, the registry metadata does not declare this config requirement as a required credential, which is a minor metadata mismatch the user should be aware of.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent configuration. It runs as an on-demand script and examples show importing the local script; no persistent or elevated privileges are requested.
Assessment
This skill is coherent with its Ghost CMS purpose, but review these before installing: (1) You must provide a JSON config file containing api_url and the Admin API Key (id:secret); store that file securely and do not commit it to source control. (2) The script will download external image URLs provided by you and re-upload them to your Ghost instance — avoid passing untrusted URLs to prevent unexpected outbound requests. (3) Examples and one conditional branch are specific to a sample domain (fu-ye.com) and example file paths; replace those with your own. (4) The scripts call requests and pyjwt — install those packages in an isolated environment (virtualenv) and inspect scripts/ghost.py yourself before use (there is a small truncation/typo in the distributed listing that suggests verifying the full file). If you need the platform to manage credentials, consider storing the Admin API Key in a secure secret store instead of a filesystem file.Like a lobster shell, security has layers — review code before you run it.
Ghost CMSvk978kwpqe0maat8ahmz11xmh1h80fbzmlatestvk975c6sek7yqb2x9zwbcn336h582n6m9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.