Ecto
v0.1.0Ghost.io Admin API CLI for managing blog posts, pages, tags, and content.
⭐ 1· 1.8k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description, README, SKILL.md and code are coherent: this is a CLI for the Ghost Admin API (posts, pages, tags, images, webhooks, etc.). However the skill metadata lists no required environment variables or primary credential even though both the docs and code expect GHOST_URL and GHOST_ADMIN_KEY (and optionally GHOST_SITE). Also the README/SKILL.md declare a config file (~/.config/ecto/config.json) where API keys are saved — this is expected for the stated purpose but is not reflected in the declared requirements.
Instruction Scope
SKILL.md restricts instructions to Ghost Admin API operations and common CLI workflows (reading markdown files, reading stdin, uploading images). The runtime instructions and code only read files the user specifies (markdown/image files) and the skill's own config file; they do not try to read unrelated system files or send data to unexpected endpoints beyond the Ghost site configured by the user.
Install Mechanism
No install spec is declared (instruction-only), which is lowest-risk from an installer perspective. The repository contains full Go source files and a README showing 'go install' usage — there is no automatic download/install URL or extract step in the skill metadata. Note: the presence of source code in the package means someone could build/run it locally; the skill package itself doesn't declare installing arbitrary third-party binaries.
Credentials
The skill metadata declares no required env vars or primary credential, but both SKILL.md and the code expect and use GHOST_URL, GHOST_ADMIN_KEY (Admin API key), and optionally GHOST_SITE or a config file entry. The tool will persist the API key into a local config file (~/.config/ecto/config.json or XDG_CONFIG_HOME/ecto/config.json). Not declaring these credentials in the metadata is an inconsistency that may cause the platform not to prompt for required secrets and makes the required scope unclear.
Persistence & Privilege
always:false (normal). The skill reads and writes its own config file in the user's config directory (XDG_CONFIG_HOME or the default ~/.config/ecto/config.json) to store site entries and API keys — this is a normal behavior for a CLI that manages remote sites, but it means your Admin API key will be written to disk in that location.
What to consider before installing
This package appears to be a legitimate Ghost Admin API CLI. Before installing, consider the following:
- The tool requires a Ghost Admin API key (GHOST_ADMIN_KEY) and site URL (GHOST_URL) to function, but the skill metadata did not declare these. Expect to provide an admin-level API key. If you don't trust the source, do not provide credentials.
- The CLI saves API keys to a local config file (default: ~/.config/ecto/config.json, or XDG_CONFIG_HOME/ecto/config.json). Ensure you are comfortable storing the key on disk and check file permissions; you can set XDG_CONFIG_HOME to control the path.
- The repository source is bundled, but there is no automatic install URL in the metadata — verify the binary you run (or build from source yourself) and prefer installing from a trusted release (official GitHub release or vendor). If you plan to allow an agent to invoke the skill autonomously, be aware that the agent could perform any action the Admin API key permits (create/delete/publish posts, webhooks, upload images).
- If you want least privilege, create a Ghost integration with only the permissions you need (if Ghost supports scoped keys) or use a dedicated integration account and rotate keys regularly.
If you need higher assurance, ask the publisher for a verified homepage or release artifacts, or review/build the source locally and inspect ~/.config/ecto/config.json after first run.Like a lobster shell, security has layers — review code before you run it.
latestvk977fz00aq8jjdrpsa8r3e3dsh7zy4mw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.