Manage Ghost CMS blog posts via Admin API. Supports creating, updating, deleting, and listing posts. Use when the user needs to programmatically manage Ghost...
Security Analysis
medium confidenceThe skill appears to do what it says (manage Ghost via the Admin API); requested artifacts and code are generally proportionate, with a few minor oddities and a small robustness bug but no clear misdirection or exfiltration behavior.
Name/description (Ghost Admin API client) match the included code and instructions. The skill expects a JSON config file containing api_url and admin_api_key rather than environment variables; that is a legitimate design choice but differs from many skills that declare required env vars. Some sample paths and a hardcoded domain ('fu-ye.com') appear to be leftover from the original author's environment and are not necessary for general use.
SKILL.md and the code keep to Ghost management tasks (create/update/delete/list posts, upload images). The runtime instructions explicitly require a user-provided JSON config file and instruct installing only requests and pyjwt. The code will download remote images when given external image URLs (to re-upload them) which is consistent with the stated 'localize upload' behavior; this means the script can make arbitrary outbound HTTP GET requests for images if the user supplies external URLs.
There is no automated install spec; the skill is instruction-and-script only. Dependencies are installed via pip as documented in SKILL.md (requests, pyjwt). No downloads from untrusted arbitrary URLs or archive extraction were found in the provided files.
The skill requests no platform environment variables, relying instead on a local JSON config file containing the Admin API Key (id:secret). That is proportionate to the stated purpose. However, the registry metadata does not declare this config requirement as a required credential, which is a minor metadata mismatch the user should be aware of.
The skill does not request always:true and does not modify other skills or global agent configuration. It runs as an on-demand script and examples show importing the local script; no persistent or elevated privileges are requested.
Guidance
This skill is coherent with its Ghost CMS purpose, but review these before installing: (1) You must provide a JSON config file containing api_url and the Admin API Key (id:secret); store that file securely and do not commit it to source control. (2) The script will download external image URLs provided by you and re-upload them to your Ghost instance — avoid passing untrusted URLs to prevent unexpected outbound requests. (3) Examples and one conditional branch are specific to a sample domain (fu-ye.com) and example file paths; replace those with your own. (4) The scripts call requests and pyjwt — install those packages in an isolated environment (virtualenv) and inspect scripts/ghost.py yourself before use (there is a small truncation/typo in the distributed listing that suggests verifying the full file). If you need the platform to manage credentials, consider storing the Admin API Key in a secure secret store instead of a filesystem file.
Latest Release
v1.0.5
Initial release with full Ghost CMS blog management via Admin API, including image uploads: - Create, update, delete, and list blog posts through Ghost Admin API - NEW: Upload images and set feature images (cover images) for posts - Full CLI and Python API support for all actions - Tag management on posts - Unique configuration via explicit JSON config path for secure, project-based isolation
More by @AlphaFactor
Published by @AlphaFactor on ClawHub
