Ghost CMS
v0.1.8Comprehensive Ghost CMS integration for creating, publishing, scheduling, and managing blog content, newsletters, members, and analytics. Use when working with Ghost blogs for content creation (drafts, publishing, scheduling), member/subscriber management (tiers, newsletters), comment moderation, or analytics (popular posts, subscriber growth). Supports all Ghost Admin API operations.
⭐ 3· 2k·1 current·1 all-time
byGiddy@chrisagiddings
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match requested items: Node/npm are required to run included JS scripts, and GHOST_ADMIN_KEY + GHOST_API_URL are exactly the credentials needed to operate the Ghost Admin API. Declared dependencies (form-data, jsonwebtoken) are appropriate for uploads and JWT auth. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md instructs only Ghost-related operations (create/update/publish posts, member management, theme uploads, analytics queries) and how to store credentials locally or via 1Password. It warns about the full privileges of Admin API keys. The runtime instructions and examples only target the Ghost API and local files under ~/.config/ghost; they do not instruct exfiltration to arbitrary external endpoints.
Install Mechanism
This is instruction-first but contains an npm install step (scripts/ directory). npm is a standard, traceable source; the listed dependencies are small and expected. This is moderate-risk compared to 'no install' but acceptable for a Node-based skill. No downloads from arbitrary URLs or URL shorteners are present in SKILL.md. Recommend reviewing scripts/package-lock.json and installed dependency list before running npm install.
Credentials
Only GHOST_ADMIN_KEY and GHOST_API_URL are required (and the metadata documents optional config file locations). The Admin key is the correct primary credential for full Admin API operations. The skill correctly documents that Admin keys are full-access and gives security guidance. No unrelated secrets or multiple external credentials are requested.
Persistence & Privilege
Skill is not declared always:true and is user-invocable. SKILL.md metadata sets disable-model-invocation: true (autonomous invocation disabled), but the registry-level flags shown at the top list disable-model-invocation: false — there is a metadata inconsistency to confirm. Besides that, the skill will perform destructive operations if given an Admin key (this is expected for Ghost management).
Assessment
This skill appears to be a legitimate Ghost Admin API integration. Before installing: 1) Understand that the GHOST_ADMIN_KEY is full-admin — create a dedicated integration key for this skill (use staging if possible) and rotate/revoke it when no longer needed. 2) Review the included scripts (especially scripts/update-teapot.js and any script that uploads or posts content) and package-lock.json for any unexpected network calls or uncommon dependencies before running npm install. 3) Confirm whether autonomous invocation is allowed on your platform — SKILL.md metadata disables model invocation but registry metadata appears different; if you prefer to avoid any autonomous actions, ensure the skill cannot be invoked without explicit user consent. 4) Keep keys out of git and prefer secure storage (1Password/secure env) as documented. If you need extra assurance, run npm install in a disposable environment and inspect network activity during the first run.Like a lobster shell, security has layers — review code before you run it.
latestvk97dbatq5syyja27acbrbdgjqs80z5kk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode, npm
EnvGHOST_ADMIN_KEY, GHOST_API_URL
Primary envGHOST_ADMIN_KEY