Blog Forge
v1.0.3A comprehensive AI-powered blog post generator that creates SEO-optimized, human-sounding content and optionally publishes directly to Medium, WordPress, or...
⭐ 0· 306·1 current·1 all-time
byShadow Rose@theshadowrose
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (AI blog generator with optional publishing) match the code and SKILL.md: model integration env vars and publishing tokens are declared and used in examples. Required binaries/configs are none, which is consistent with a pure-Node.js library that uses built-in modules.
Instruction Scope
SKILL.md instructions focus on generating content, readability analysis, humanization, and publishing workflows. Examples reference only the declared env vars or explicit credentials passed to publishPost. There are no instructions to read unrelated system files or exfiltrate environment data beyond the declared optional API keys/tokens.
Install Mechanism
No install spec is present (instruction-only). The code claims to use only Node.js built-ins (https, http, crypto), which matches the top of the source files and avoids third-party package installs.
Credentials
Declared env vars (ANTHROPIC_API_KEY, OPENAI_API_KEY, MEDIUM_INTEGRATION_TOKEN, WP_URL, WP_USERNAME, WP_APP_PASSWORD, GHOST_URL, GHOST_ADMIN_API_KEY) are proportional and appropriate for LLM providers and publishing platforms. All are optional per SKILL.md and examples show passing credentials explicitly; no unrelated secrets are requested.
Persistence & Privilege
The skill does not request always:true or other elevated persistent privileges. It does network I/O to talk to LLM providers and publishing APIs (expected for its purpose) but does not claim to modify other skills or system-wide settings.
Assessment
This package appears internally consistent for generating and publishing blog posts. Before installing or supplying credentials: 1) Review the publishPost and provider-calling functions to confirm they post only to the platform endpoints you expect (verify no hard-coded or unexpected URLs). 2) Prefer passing platform credentials explicitly to publishPost rather than setting broad environment variables if you want to limit exposure. 3) Because the source/homepage is 'unknown', run the code in a sandbox or inspect the full file contents (especially the network call implementations) before giving it real account tokens. 4) Back up any content and rotate any tokens used for testing. If you want, I can scan the remaining truncated portions of the source (publish and provider-call implementations) for unexpected endpoints or obfuscated behavior — that would raise my confidence to 'high'.Like a lobster shell, security has layers — review code before you run it.
automationvk975s11rmas7tfa7sn4zt2z80182kn2nblogvk975s11rmas7tfa7sn4zt2z80182kn2ncontentvk975s11rmas7tfa7sn4zt2z80182kn2nlatestvk978dpsa6ak4wqp465acnmh84582k7hnpublishingvk975s11rmas7tfa7sn4zt2z80182kn2nwritingvk975s11rmas7tfa7sn4zt2z80182kn2n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.