← Back to Skills Marketplace
harshraj001

Write My Blog

by Harsh Raj · GitHub ↗ · v0.1.0
cross-platform ⚠ suspicious
682
Downloads
2
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install write-my-blog
Description
Enables the agent to create, manage, and publish a full-featured blog autonomously. The agent can write posts, upload media, switch between 10 premium design...
Usage Guidance
This package appears to be a legitimate self-hosted blog platform, but exercise caution before running its setup or allowing an agent to run it autonomously. Key points to consider: - The repo and scripts will ask for or expect sensitive credentials (Supabase service role key, MongoDB URIs, Redis URLs) and will write them into platform/.env.local; the skill metadata did not declare these needs. Only provide least-privilege keys, and avoid giving high-privilege service keys unless you understand the implications. - The setup script can run non-interactively and will overwrite an existing .env.local without prompting in that mode. Don’t run non-interactive setup in an environment where the agent has access to unrelated secrets. - The setup runs npm install (downloads many packages). Run it in an isolated environment (container/VM) if you want to limit blast radius. - Review scripts (scripts/setup.sh, deploy-*.sh, and any DB adapter code) yourself before executing. If you plan to deploy, create dedicated deployment/service accounts and rotate keys after use. - If you want the agent to operate this skill, prefer interactive setup and manual provisioning of cloud credentials rather than exposing them to the agent runtime. If you have questions about specific files or want a focused review of the DB adapters or middleware, ask and I can inspect those parts in detail.
Capability Analysis
Type: OpenClaw Skill Name: write-my-blog Version: 0.1.0 The OpenClaw skill bundle is classified as suspicious due to several significant vulnerabilities. The most critical is the use of Next.js version 14.2.21, which is explicitly flagged in `platform/package-lock.json` as having a known security vulnerability. Additionally, the custom `sanitizeHtml` function in `platform/src/lib/auth/middleware.ts` relies on regex for sanitization, which is prone to XSS bypasses, and the Content Security Policy includes `'unsafe-inline'` for scripts, further weakening protections. The skill also allows `image/svg+xml` uploads in `platform/src/app/api/media/route.ts`, which, combined with weak sanitization, presents another XSS vector. While the `SKILL.md` instructions do not exhibit malicious prompt injection, these code vulnerabilities could be exploited to compromise the blog or the agent.
Capability Assessment
Purpose & Capability
The name/description (create/manage/publish a blog) align with the included code (Next.js blog, APIs, themes, deploy scripts). However the registry metadata declares no required env vars or binaries while the shipped scripts and platform clearly expect database keys, cache endpoints, and optional CLIs (Vercel/wrangler). That mismatch between declared requirements and actual needs is an inconsistency.
Instruction Scope
SKILL.md tells the agent to run scripts (scripts/setup.sh, deploy scripts) that will install dependencies, write a .env.local file containing API keys/service credentials, run migrations, and potentially deploy to cloud providers. The instructions permit run_command and file operations but do not restrict paths; the setup script in non-interactive mode overwrites .env.local without prompting. Those behaviors broaden the agent's scope to creating and storing sensitive secrets on disk and interacting with external services.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the provided setup.sh runs 'npm install' which will fetch many public npm packages (package-lock.json included). This is expected for a Next.js app but is a non-trivial install step (network downloads, native optional deps). No obscure download URLs or self-hosted archives were found.
Credentials
The repository and scripts require/consume sensitive credentials (SUPABASE_SERVICE_KEY, MONGODB_URI, REDIS_URL, various DB provider configs) and generate/write an API_KEY into .env.local. Yet the skill metadata lists no required env vars and SKILL.md does not enumerate these upfront. Requesting or writing high-privilege keys (e.g., Supabase service role key) is disproportionate without explicit disclosure. In non-interactive (agent) mode these values must be present in the agent environment or flags, increasing exposure risk.
Persistence & Privilege
The skill does not set always:true and does not modify other skills. It does create/overwrite local configuration (.env.local) and can deploy to external hosts (Vercel/Cloudflare) if run. The non-interactive overwrite behavior and creation of API keys on disk are noteworthy but are normal for deployment scripts.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install write-my-blog
  3. After installation, invoke the skill by name or use /write-my-blog
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
- Initial release of the Write My Blog skill: autonomously create, manage, and publish a professional blog. - Supports writing posts, media uploads, theme management (10 premium themes), and deployment to Cloudflare or Vercel. - Compatible with PostgreSQL, SQLite, MongoDB, Turso, and Supabase databases; includes caching options (Redis, KV, in-memory). - Provides REST API for all operations, with API key authentication and rate limiting. - Strong content guidelines and security best practices are included to ensure proper attribution, SEO, and safe publishing.
Metadata
Slug write-my-blog
Version 0.1.0
License
All-time Installs 2
Active Installs 2
Total Versions 1
Frequently Asked Questions

What is Write My Blog?

Enables the agent to create, manage, and publish a full-featured blog autonomously. The agent can write posts, upload media, switch between 10 premium design... It is an AI Agent Skill for Claude Code / OpenClaw, with 682 downloads so far.

How do I install Write My Blog?

Run "/install write-my-blog" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Write My Blog free?

Yes, Write My Blog is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Write My Blog support?

Write My Blog is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Write My Blog?

It is built and maintained by Harsh Raj (@harshraj001); the current version is v0.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments