Safety Report

Ecto

Name: Ecto
Author: visionik

@visionik

Ghost.io Admin API CLI for managing blog posts, pages, tags, and content.

1,548Downloads

0Installs

0Stars

1Versions

API Integration11,971 CLI & Shell Tools3,679 Social Media3,597 Writing & Content2,429

Security Analysis

medium confidence

Suspicious0.08 risk

The code and docs match a Ghost Admin CLI, but the skill metadata does not declare the expected credentials or environment variables and the tool will store admin API keys in a local config file — review before installing.

Feb 11, 202628 files3 concerns

Purpose & Capabilitynote

The name/description, README, SKILL.md and code are coherent: this is a CLI for the Ghost Admin API (posts, pages, tags, images, webhooks, etc.). However the skill metadata lists no required environment variables or primary credential even though both the docs and code expect GHOST_URL and GHOST_ADMIN_KEY (and optionally GHOST_SITE). Also the README/SKILL.md declare a config file (~/.config/ecto/config.json) where API keys are saved — this is expected for the stated purpose but is not reflected in the declared requirements.

Instruction Scopeok

SKILL.md restricts instructions to Ghost Admin API operations and common CLI workflows (reading markdown files, reading stdin, uploading images). The runtime instructions and code only read files the user specifies (markdown/image files) and the skill's own config file; they do not try to read unrelated system files or send data to unexpected endpoints beyond the Ghost site configured by the user.

Install Mechanismnote

No install spec is declared (instruction-only), which is lowest-risk from an installer perspective. The repository contains full Go source files and a README showing 'go install' usage — there is no automatic download/install URL or extract step in the skill metadata. Note: the presence of source code in the package means someone could build/run it locally; the skill package itself doesn't declare installing arbitrary third-party binaries.

Credentialsconcern

The skill metadata declares no required env vars or primary credential, but both SKILL.md and the code expect and use GHOST_URL, GHOST_ADMIN_KEY (Admin API key), and optionally GHOST_SITE or a config file entry. The tool will persist the API key into a local config file (~/.config/ecto/config.json or XDG_CONFIG_HOME/ecto/config.json). Not declaring these credentials in the metadata is an inconsistency that may cause the platform not to prompt for required secrets and makes the required scope unclear.

Persistence & Privilegeok

always:false (normal). The skill reads and writes its own config file in the user's config directory (XDG_CONFIG_HOME or the default ~/.config/ecto/config.json) to store site entries and API keys — this is a normal behavior for a CLI that manages remote sites, but it means your Admin API key will be written to disk in that location.

Guidance

This package appears to be a legitimate Ghost Admin API CLI. Before installing, consider the following: - The tool requires a Ghost Admin API key (GHOST_ADMIN_KEY) and site URL (GHOST_URL) to function, but the skill metadata did not declare these. Expect to provide an admin-level API key. If you don't trust the source, do not provide credentials. - The CLI saves API keys to a local config file (default: ~/.config/ecto/config.json, or XDG_CONFIG_HOME/ecto/config.json). Ensure you are comfortable storing the key on disk and check file permissions; you can set XDG_CONFIG_HOME to control the path. - The repository source is bundled, but there is no automatic install URL in the metadata — verify the binary you run (or build from source yourself) and prefer installing from a trusted release (official GitHub release or vendor). If you plan to allow an agent to invoke the skill autonomously, be aware that the agent could perform any action the Admin API key permits (create/delete/publish posts, webhooks, upload images). - If you want least privilege, create a Ghost integration with only the permissions you need (if Ghost supports scoped keys) or use a dedicated integration account and rotate keys regularly. If you need higher assurance, ask the publisher for a verified homepage or release artifacts, or review/build the source locally and inspect ~/.config/ecto/config.json after first run.

Latest Release

v0.1.0

Initial release of ecto CLI for Ghost.io Admin API. - Manage Ghost blog posts, pages, tags, images, webhooks, and site data via command line. - Supports multiple site configurations and environment variable overrides. - Features markdown-to-HTML conversion, JSON output for scripting, and stdin piping for content creation. - Includes workflows for creating, editing, publishing, scheduling, and deleting content. - Limitations: No API for listing images/webhooks; member management not supported; user data is read-only.

More by @visionik

Mog

4 stars

Sog

0 stars

Oura Ring Data

0 stars

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Published by @visionik on ClawHub