← Back to Skills Marketplace

OpenClaw-Halo-CMS

Name: OpenClaw-Halo-CMS
Author: thomasoscar

by Thomas_Oscar · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

104

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install openclaw-halo-cms

Description

博客文章管理技能。当用户提到"发文章"、"写博客"、"Halo"、"发帖"、 "回复评论"、"博客管理"等关键词时使用此技能。

Usage Guidance

Do not install or run this skill until the author clarifies and/or fixes the credential handling. Specific things to verify or request from the author: (1) Why does SKILL.md declare HALO_PAT_TOKEN (Bearer) while the script uses HALO_USER/HALO_PASS (Basic)? The code should be updated to use the documented credential or the metadata updated to list the envs the script actually needs. (2) Remove or make optional the .env.halo workspace scan — reading parent directories can expose unrelated secrets; prefer explicit env vars only. (3) Document HALO_URL, HALO_USER, HALO_PASS, and OPENCLAW_WORKSPACE in the metadata if they are required. (4) Review the full script (the provided file was truncated) to ensure there are no hidden endpoints or data-exfiltration behaviors. If you must test it, run it in an isolated sandbox with minimal test credentials and set HALO_URL to a controlled test server. Avoid placing real credentials in workspace files until the mismatch is resolved.

Capability Analysis

Type: OpenClaw Skill Name: openclaw-halo-cms Version: 1.0.0 The skill bundle is a legitimate tool for managing a Halo CMS instance. The Python script (scripts/halo_api.py) implements standard blog management functions such as listing, creating, and publishing posts using the Halo REST API. Notably, the script includes a `_check_content_safety` function that uses regex to warn the user if they are about to post sensitive information like passwords or API keys. The SKILL.md instructions also include defensive prompts requiring the agent to seek user confirmation before publishing and to avoid leaking system configurations, which aligns with the stated purpose and security best practices.

Capability Assessment

⚠ Purpose & Capability

The skill's name/description (Halo blog management) matches the code's operations (listing, creating, publishing posts, replying to comments). However the declared primary credential (HALO_PAT_TOKEN, Bearer JWT) in SKILL.md/metadata is not used by the code; instead the script resolves HALO_USER/HALO_PASS (Basic auth) and reads .env.halo files. This is an incoherence between stated purpose/requirements and actual credential usage.

⚠ Instruction Scope

SKILL.md instructs the agent to run scripts/halo_api.py and specifies Bearer PAT usage and safety constraints, but the script: (1) does not use HALO_PAT_TOKEN, (2) searches for a .env.halo file in the workspace and parent dirs (reads files outside the skill bundle), and (3) relies on HALO_USER/HALO_PASS and HALO_URL. The script therefore accesses environment and filesystem state beyond the declared inputs — this is scope creep and a possible source of secret exposure.

✓ Install Mechanism

No install spec is provided (instruction-only skill plus a Python script). Nothing is downloaded or executed at install time; risk from install mechanism is low. The runtime risk comes from the included script's behavior, not from an installer.

⚠ Credentials

Metadata declares only HALO_PAT_TOKEN as required, but the script uses/reads HALO_USER, HALO_PASS, HALO_URL, and OPENCLAW_WORKSPACE, plus scanning .env.halo files for credentials. Required envs and file reads are not proportional to the declared HALO_PAT_TOKEN: either the metadata is wrong or the code is misaligned. The script may therefore access credentials the user did not expect to be used.

✓ Persistence & Privilege

always is false, no automatic persistence or modification of other skills is present in the manifest. The skill does not request elevated persistence privileges in the registry metadata.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install openclaw-halo-cms
After installation, invoke the skill by name or use /openclaw-halo-cms
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release of the halo-cms skill for managing blog articles and comments via Halo REST API. - Supports listing, creating, and publishing blog posts. - Enables listing categories and tags. - Allows replying to comments. - Requires `HALO_PAT_TOKEN` for API authentication. - Enforces strict safety and privacy rules before publishing articles.

Metadata

Slug openclaw-halo-cms

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is OpenClaw-Halo-CMS?

博客文章管理技能。当用户提到"发文章"、"写博客"、"Halo"、"发帖"、 "回复评论"、"博客管理"等关键词时使用此技能。 It is an AI Agent Skill for Claude Code / OpenClaw, with 104 downloads so far.

How do I install OpenClaw-Halo-CMS?

Run "/install openclaw-halo-cms" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is OpenClaw-Halo-CMS free?

Yes, OpenClaw-Halo-CMS is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does OpenClaw-Halo-CMS support?

OpenClaw-Halo-CMS is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created OpenClaw-Halo-CMS?

It is built and maintained by Thomas_Oscar (@thomasoscar); the current version is v1.0.0.

More Skills