ClawHub

ghst

v1.0.0

Work with Ghost blogs using the ghst CLI tool. Supports full Ghost Admin API access including posts, pages, members, tags, newsletters, themes, stats, social...

1· 55·0 current·0 all-time
by@nickludlam
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (ghst), required env vars (GHOST_URL, GHOST_STAFF_ACCESS_TOKEN), and the declared npm package (@tryghost/ghst) all align with the stated purpose of providing Ghost Admin API access via the ghst CLI.
Instruction Scope
SKILL.md contains explicit, scoped runtime instructions for using the ghst CLI (use --json, non-interactive flags, read/write lexical files, etc.). It only references files and env vars relevant to Ghost operations (e.g., content.json, ~/.openclaw/.env, openclaw.json). There are no instructions to read unrelated system files or to send data to unexpected external endpoints.
Install Mechanism
Install is via the npm package @tryghost/ghst or run via npx. This is the expected mechanism for a Node CLI; npm installs can run lifecycle scripts (moderate risk), but the package and install method are coherent with the CLI nature of the skill and not unusual for the stated purpose.
Credentials
Requested env vars are limited and relevant (GHOST_URL and GHOST_STAFF_ACCESS_TOKEN). Note: a staff access token grants full Admin API privileges for the site and is therefore highly sensitive—requiring it is proportionate but requires careful handling by the user (store securely, restrict scope, rotate if exposed). Optional additional env vars listed are reasonable for configuration and are not required by default.
Persistence & Privilege
The skill does not request permanent 'always' inclusion, does not modify other skills or global config beyond per-skill openclaw.json guidance, and uses the platform's normal autonomous invocation defaults. No elevated persistence is requested.
Assessment
This skill appears to be what it claims: a wrapper around the ghst CLI for managing Ghost sites. Before installing, consider: (1) The GHOST_STAFF_ACCESS_TOKEN is an admin-level secret—only provide it for sites you trust and store it in a secure location (per-skill openclaw.json or a secured ~/.openclaw/.env). (2) Installing via npm/@tryghost/ghst is standard, but npm packages can run install scripts—prefer obtaining the package from the official TryGhost source (the declared homepage is the official repo). If you want to reduce blast radius, run the CLI via npx (no global install) and/or limit the token's lifetime or scope and rotate it after enabling the skill. (3) If you do not want the agent to act autonomously with this credential, disable or un-enable the skill when not required or adjust agent invocation settings. Overall, the skill is coherent and expected for managing Ghost, but treat the staff token as highly sensitive.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bwbpbn8j6hyztt5ek9xtrt183snyt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

👻 Clawdis
Binsghst
EnvGHOST_URL, GHOST_STAFF_ACCESS_TOKEN
Primary envGHOST_URL

Install

Install ghst (npm)
Bins: ghst
npm i -g @tryghost/ghst
Run via npx

Comments