Blog Forge
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Blog Forge appears to match its stated purpose, but it can use AI-provider and blog-platform credentials, so users should review content before publishing and protect tokens.
This skill looks coherent for AI blog generation and publishing. Before installing, decide whether you are comfortable giving it LLM API keys and blog-platform tokens, review all generated content before publishing, and avoid sending confidential topics to cloud models unless that is acceptable for your use case.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If publishing is invoked, generated content may be posted or drafted on a real blog account.
This is a disclosed and purpose-aligned feature, but it can create or publish content on external blogging platforms, which is a high-impact account action.
Direct Publishing: Publish drafts to Medium, WordPress, or Ghost from a single method call
Review the generated post first, require explicit user confirmation before publishing, and prefer draft/unlisted modes when available.
Supplying these tokens or app passwords gives the skill delegated access to generate through providers and publish to connected sites.
The skill documents optional credentials for LLM providers and publishing platforms. These are expected for the feature set, and no artifact shows hardcoded secrets or credential leakage.
MEDIUM_INTEGRATION_TOKEN ... WP_USERNAME ... WP_APP_PASSWORD ... GHOST_ADMIN_API_KEY
Use revocable, least-privilege tokens or application passwords, avoid sharing full admin credentials where possible, and revoke credentials when no longer needed.
Confidential topics, keywords, or draft material could be sent to Anthropic or OpenAI if those providers are selected.
The visible code routes generated prompts to the selected model provider. This is disclosed and purpose-aligned, but cloud providers may receive the topic and prompt content.
case 'anthropic': rawContent = await this._callAnthropic(...); case 'openai': rawContent = await this._callOpenAI(...); case 'ollama': rawContent = await this._callOllama(...)
Avoid using sensitive or unpublished confidential material with cloud models unless provider terms and data handling are acceptable; use local Ollama for more private drafts.