ghost-blog-writer
PendingVirusTotal audit pending.
Overview
No VirusTotal analysis has been recorded yet. File reputation checks will appear here once the artifact hash has been scanned.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with publishing flags, the agent can make content public or schedule it on the user's Ghost site.
The skill can mutate a Ghost CMS account by creating, publishing, or scheduling posts. This is purpose-aligned and has a draft default, but users should notice the high-impact publishing flags.
Default state is **draft** — the post lands in Ghost admin for human review before going live, unless `--publish` or `--publish-at` is passed.
Use the default draft mode for review unless you intentionally want live publishing, and verify the final post before using --publish or --publish-at.
Anyone or any agent with this key may be able to create or publish content through the Ghost integration.
The skill requires a Ghost Admin API key to authenticate and post to the Admin API. This is expected for the stated purpose, but it is sensitive account authority.
`GHOST_ADMIN_KEY` | Integration -> **Admin API Key** | `<24-hex>:<64-hex>` combined
Use a dedicated Ghost integration key, keep it out of source control, avoid sharing logs or prompts containing it, and rotate it if exposed.
A user relying only on registry metadata could miss that the skill needs a sensitive Ghost Admin API key.
The registry metadata under-declares the credential and environment-variable requirement, even though SKILL.md discloses it clearly.
metadata: "Required env vars: none ... Primary credential: none"; SKILL.md: "Two values are required... `GHOST_URL` ... `GHOST_ADMIN_KEY`"
Treat GHOST_ADMIN_KEY as a required sensitive credential before enabling the skill, despite the registry metadata not listing it.