Publish markdown articles to Dev.to via their REST API. Use this skill whenever the user wants to publish a blog post or article to Dev.to.
Security Analysis
medium confidenceThe instructions describe a legitimate Dev.to publisher, but the skill metadata omits the Dev.to API key requirement and the SKILL.md refers to a local script that is not included — these inconsistencies warrant caution.
Name/description and the instructions consistently describe publishing Markdown to Dev.to, which is coherent. However, the SKILL.md explicitly requires a Dev.to API key while the skill metadata declares no required credentials or primaryEnv, and no code files are included despite referencing a 'scripts/publish_devto.py' script. That mismatch (stated need for a secret but not declared, plus a referenced script that doesn't exist in the bundle) is inconsistent with the stated purpose.
The SKILL.md gives narrow, well-scoped runtime instructions: parse a Markdown file, construct a JSON payload, and POST to https://dev.to/api/articles with the api-key header. It does not instruct reading unrelated system files. The practical problem: it instructs running a local Python script at scripts/publish_devto.py, but there is no script in the package — so the agent or user would need to supply or fetch that code, which expands the actual behavior beyond what's bundled.
There is no install spec and no code files, which is low risk on its own. However, because the instructions reference an external script that is not provided, an operator/agent may attempt to obtain or generate that script elsewhere; that missing artifact is an operational gap to resolve before trusting the skill.
The SKILL.md requires a Dev.to API key (sensitive credential) but the skill metadata declares no required environment variables or primary credential. This is an incoherence: a credential is needed for the task but is not declared. Also, the example shows passing the API key on the command line (python ... --api-key YOUR_API_KEY), which can leak the key in shell history or process listings — a security consideration the instructions do not address.
The skill does not request always:true, does not modify other skills, and has no install-time persistence. Agent autonomy is enabled by default (disable-model-invocation: false) but that is normal and not by itself concerning here.
Guidance
This skill appears to describe a simple Dev.to publisher, but there are two practical inconsistencies you should resolve before using it: (1) SKILL.md says you need a Dev.to API key but the metadata doesn't declare any required credential — treat this as a missing/undeclared secret requirement; (2) the instructions call a local script (scripts/publish_devto.py) that is not included in the skill package. Do not paste your API key into a command line until you have reviewed the publishing script's source or obtained it from a trusted origin. Prefer providing the API key via a secure environment variable or prompting rather than as a CLI argument (to avoid shell-history/process-list exposure). Ask the publisher for the missing script or supply your own implementation that calls https://dev.to/api/articles, and verify its code before running. If you cannot validate the script or source, treat the skill as untrusted.
Latest Release
v1.0.0
Initial release of Blog Publisher Lite for Dev.to. - Publish Markdown articles directly to Dev.to using their REST API. - Supports extracting the title, tags, and body from standard Markdown files. - Simple CLI for publishing as draft or live with customizable tags. - Includes troubleshooting tips for common API errors. - Requires a Dev.to API key for authentication.
Popular Skills
Published by @apex-stack-ai on ClawHub
