ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ghost

v1.0.2

Ghost integration. Manage Posts, Users, Members, Settingses. Use when the user wants to interact with Ghost data.

0· 93·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description say 'Ghost integration' and the runtime instructions describe installing and using the @membranehq/cli to connect to Ghost, list/run actions, and proxy API requests. Required capabilities (network access and a Membrane account) match the stated purpose; nothing else is requested.
Instruction Scope
SKILL.md confines runtime actions to installing/using the Membrane CLI, creating connections, listing/running actions, and proxying to the Ghost API. It does not instruct reading unrelated files or environment variables, nor does it direct data to unexpected endpoints. It explicitly recommends not asking users for API keys.
Install Mechanism
This is an instruction-only skill (no install spec). It tells users to run 'npm install -g @membranehq/cli' which is a standard public npm package install. Global npm installation modifies the host and may require privileges or be undesirable in some environments — this is an operational consideration but not incoherent with the skill's purpose.
Credentials
No environment variables or credentials are required by the skill itself. The SKILL.md requires a Membrane account (handled via CLI/browser auth); this is proportional for a service that proxies Ghost access. There are no unrelated credential requests.
Persistence & Privilege
The skill does not request always:true, does not declare persistent config changes, and is user-invocable. Autonomous invocation is allowed by default on the platform but is not combined with other concerning privileges here.
Assessment
This skill is instruction-only and appears coherent: it uses the Membrane CLI to manage Ghost rather than asking for API keys. Before installing: (1) verify the @membranehq/cli npm package and the getmembrane.com project/repo (source of the CLI) are legitimate and maintained; (2) be aware that 'npm install -g' modifies your system and may require elevated rights — consider installing in a container or virtualenv if you prefer isolation; (3) when you run 'membrane login' you will authenticate in a browser — don't paste any one-time codes into public chats; (4) understand that after you authorize, Membrane will be able to act on your Ghost site per the granted scopes, so review and limit scopes if possible. If you need deeper assurance, ask the publisher for the exact connector permissions and the CLI source code or audit the npm package before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk979xq59nyxpfy0cj6pxrh7ed18429e4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments