ClawHub

youmind-ghost-article

Security checks across malware telemetry and agentic risk

Overview

This Ghost publishing skill has a coherent writing-and-publishing purpose, but it also includes broader site-management powers such as listing, unpublishing, and permanently deleting Ghost posts without enough upfront disclosure or safeguards.

Install only if you are comfortable giving this skill access to your YouMind/Ghost credentials and letting it create, upload, publish, unpublish, and delete Ghost content. Prefer using it with a least-privilege Ghost account, review drafts before publishing, avoid passing arbitrary local file paths unless you intend to upload that file, and treat deletion/unpublish commands as administrative actions requiring manual confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill declares shell execution tools and clearly depends on network access and local configuration files, but it does not declare those capabilities in a permissions model. This weakens user visibility and policy enforcement around sensitive actions such as reading credentials from ~/.youmind/config.yaml and publishing content to remote services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill advertises article writing and publishing, but the documented behavior extends to broader content-management and destructive operations such as deleting Ghost posts, listing boards/materials, and using additional YouMind APIs. This mismatch can defeat informed consent by exposing more remote actions and data access than users would reasonably expect from the description.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The CLI exposes read, state-change, and destructive Ghost management actions (list drafts/published, publish existing posts, unpublish, get post, delete) that go materially beyond the declared skill purpose of writing and publishing articles. In an agent skill context, this widens the authority surface so a user or prompt-influenced agent could enumerate, alter, or remove unrelated existing content in the connected Ghost instance, violating least privilege and increasing the chance of unauthorized content operations.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This skill includes a permanent delete operation for Ghost posts even though its stated function is article writing and publishing, not site administration. In an agent environment, a deletion primitive is especially dangerous because a mistaken instruction, prompt injection, or misuse can irreversibly remove legitimate content from the publication with only a simple --yes confirmation.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The client exposes unpublish, delete, and bulk-listing primitives that materially exceed the advertised 'write and publish Ghost articles' scope. In an agent setting, this creates a capability mismatch: prompt injection, tool misuse, or accidental invocation could modify or remove existing content the user did not intend to touch.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill manifest says this capability is for Ghost article research, writing, and publishing, but this file also exposes a chat-based AI image generation workflow. That scope expansion is security-relevant because it enables an additional remote action path through an agent-style API (`createChat`/`listMessages`) that is not clearly disclosed by the declared skill purpose, increasing attack surface, costs, and the chance of unintended tool use or policy bypass during execution.

Vague Triggers

Medium
Confidence
78% confidence
Finding
Broad triggers such as 'ghost blog' and especially 'write ghost' increase the chance the skill activates on ambiguous requests. Because this skill can write local files and publish or modify remote Ghost content, accidental invocation could lead to unintended data changes or disclosure through external API calls.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The user-facing description emphasizes convenience and one-click publishing, but it does not prominently warn that the skill may create local draft files, use external web/YouMind services, and modify remote Ghost content. This reduces informed consent for data-modifying behavior in a skill with publishing authority.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The pipeline explicitly instructs reading a local API key from `~/.youmind/config.yaml` but does not require any user-facing notice, consent, or clear disclosure before accessing credentials. In an agent setting, silent credential access increases the risk of overbroad secret use, unexpected authentication attempts, and accidental exposure through logs, errors, or downstream tool calls.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The publish step performs remote API actions and can create or immediately publish Ghost posts, yet the workflow does not require an explicit confirmation or warning before network transmission or a live-site state change. This is dangerous because an agent could send user content to external services or publish publicly with only implicit intent, causing unintended disclosure, reputational harm, or irreversible content changes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
uploadImage accepts an arbitrary local file path, reads the file, base64-encodes it, and sends it to a remote API. Without explicit consent and path restrictions, an agent could be induced to exfiltrate unintended local files under the guise of uploading a feature image.

Missing User Warnings

High
Confidence
94% confidence
Finding
deletePost performs a destructive remote deletion with no built-in confirmation, safeguard, or friction in this client layer. In an agentic workflow, a malicious prompt or mistaken tool call could irreversibly delete published or draft content, making this particularly risky given the skill's broader-than-advertised management capabilities.

Session Persistence

Medium
Category
Rogue Agent
Content
## Draft Location Rule

**Canonical:** write local article Markdown files to `~/.youmind/articles/ghost/<slug>.md`. This shared home directory is available to all YouMind skills — see [`shared/YOUMIND_HOME.md`](shared/YOUMIND_HOME.md).

**Legacy fallback** (if `~/.youmind/` is not writable): `skills/youmind-ghost-article/output/<slug>.md`.
Confidence
84% confidence
Finding
write local article Markdown files to `~/.youmind/articles/ghost/<slug>.md`. This shared home directory is available to all YouMind skills — see [`shared/YOUMIND_HOME.md`](shared/YOUMIND_HOME.md). **

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
80% confidence
Finding
The trigger 'write ghost' can conflict with generic built-in 'write' functionality, increasing the risk that ordinary writing requests are routed into this skill. Given the skill's ability to perform external research, create files, and publish to Ghost, trigger shadowing can escalate an innocent request into unintended side effects.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal