← Back to Skills Marketplace
siyrs

Halo Blog Manager

by sirius · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
105
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install halo-blog-manager
Description
Manage Halo blogs via API - create/edit/delete posts, manage categories/tags, handle comments, upload media. Use when user asks to manage their Halo blog, po...
README (SKILL.md)

Halo Manager

Manage Halo blogs through the official API.

First-Time Setup

When this skill is first used, ask the user for:

  1. Blog URL (e.g., https://blog.example.com)
  2. Username
  3. Password

Then save credentials to ~/halo-manager/config.json:

{
  "blog_url": "https://blog.example.com",
  "username": "your-username",
  "password": "your-password"
}

Security Note: Never expose credentials in logs, responses, or shared channels.

Authentication

Halo uses RSA-encrypted password + CSRF token + Session cookie.

Login Flow

  1. GET /login - Extract CSRF token and RSA public key
  2. Encrypt password with RSA public key (JSEncrypt)
  3. POST /login with form data (username, encrypted password, CSRF token)
  4. Receive SESSION cookie for subsequent requests

Session Management

  • Use SESSION cookie for all authenticated requests
  • If session expires, re-login automatically
  • Store session state in ~/halo-manager/session.json

API Endpoints

Console API Base

{blog_url}/apis/api.console.halo.run/v1alpha1/

Posts

Operation Method Endpoint
List posts GET /posts
Get post GET /posts/{name}
Create post POST /posts
Update post PUT /posts/{name}
Delete post DELETE /posts/{name}

Categories

Operation Method Endpoint
List categories GET /categories
Create category POST /categories
Update category PUT /categories/{name}
Delete category DELETE /categories/{name}

Tags

Operation Method Endpoint
List tags GET /tags
Create tag POST /tags
Update tag PUT /tags/{name}
Delete tag DELETE /tags/{name}

Users

Operation Method Endpoint
List users GET /users
Get current user GET /users/-

Comments

Operation Method Endpoint
List comments GET /comments
Approve comment PUT /comments/{name}/approval
Delete comment DELETE /comments/{name}

Media

Operation Method Endpoint
List attachments GET /attachments
Upload attachment POST /attachments
Delete attachment DELETE /attachments/{name}

Common Workflows

Create a Post

  1. Login to get session
  2. Prepare post data:
{
  "post": {
    "spec": {
      "title": "Post Title",
      "slug": "post-slug",
      "content": "Post content in Markdown",
      "rawType": "markdown",
      "categories": ["category-name"],
      "tags": ["tag1", "tag2"],
      "publish": true
    }
  }
}
  1. POST to /posts
  2. Verify creation

Upload Media

  1. Login to get session
  2. Prepare multipart form data
  3. POST to /attachments
  4. Get attachment URL from response

Error Handling

Status Meaning Action
401 Unauthorized Re-login
403 Forbidden Check permissions
404 Not found Verify resource exists
500 Server error Retry or report

Output Format

【操作名称】

请求:{method} {endpoint}
状态:{status_code}
结果:成功/失败

详情:...

Security Best Practices

  1. Never log credentials - Mask passwords in all outputs
  2. Use HTTPS - Always prefer secure connections
  3. Session timeout - Re-authenticate when session expires
  4. Local storage only - Credentials stay on user's machine

References

Usage Guidance
This skill looks like a legitimate Halo blog manager, but there are a few red flags you should consider before installing or providing credentials: - The included Python script requires third‑party libraries (requests, PyCryptodome) but the skill does not declare installation steps. The skill may fail to run or the author assumed those packages are present. Ask the author to add an install spec or provide instructions to install dependencies (e.g., pip install requests pycryptodome). - The tool asks you for your blog username and password and saves them to ~/halo-manager/config.json in plaintext. If you provide credentials, they will be stored unencrypted on disk. Prefer creating a limited-scope account or an API token (if Halo supports it) instead of using your primary account. At minimum, ensure the config file has restrictive file permissions (chmod 600) and is stored on a trusted machine. - The SKILL.md says 'never expose credentials in logs', but the code still stores the raw password; this is an internal inconsistency. Review the code yourself or run it in a sandboxed environment before trusting it with sensitive credentials. - If you want to proceed: request the author to (1) declare/install dependencies, (2) support encrypted storage or keychain/OS secrets, and (3) avoid storing plaintext passwords (or document clear file-permission recommendations). If you are unsure, do not provide your production credentials; test with a throwaway account first.
Capability Analysis
Type: OpenClaw Skill Name: halo-blog-manager Version: 1.0.0 The halo-blog-manager skill is a legitimate tool for managing Halo CMS blogs via its official API. It handles authentication using RSA encryption and session management, storing credentials and session tokens locally in the user's home directory (~/halo-manager/) as described in SKILL.md and implemented in scripts/halo_login.py. The code follows standard security practices, such as using HTTPS and advising against logging sensitive information, with no evidence of data exfiltration, malicious execution, or prompt injection.
Capability Assessment
Purpose & Capability
The skill's name, docs, and the included Python login script align with managing a Halo blog. However, the skill declares no required binaries/dependencies while the included script imports requests and PyCryptodome (Cryptodome) — a mismatch between declared requirements and actual code.
Instruction Scope
SKILL.md and the script instruct the agent to ask for username/password and save them to ~/halo-manager/config.json; the script stores the password in plaintext. While local storage is reasonable for a client tool, saving an unhashed plaintext password without recommending OS-level protections is a security concern and contradicts the 'never expose credentials' guidance in the SKILL.md.
Install Mechanism
There is no install specification even though the code requires third-party Python packages (requests, PyCryptodome). That absence means the runtime might fail or the skill author expects the environment to already have those packages — either way it is an incoherence and increases operational risk.
Credentials
The skill does not request environment variables or unrelated credentials (good). It does, however, request the user's Halo blog credentials interactively and persists them locally; requiring the service credential is proportionate to the stated purpose but storing them plaintext raises proportionality/privacy concerns.
Persistence & Privilege
The skill is not always-enabled and does not request elevated/platform-wide privileges. It stores its own config and session files under the user's home directory (~/halo-manager) which is expected behavior for a local helper.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install halo-blog-manager
  3. After installation, invoke the skill by name or use /halo-blog-manager
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release - Complete Halo CMS API management skill with authentication, posts, categories, tags, comments, and media support.
Metadata
Slug halo-blog-manager
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Halo Blog Manager?

Manage Halo blogs via API - create/edit/delete posts, manage categories/tags, handle comments, upload media. Use when user asks to manage their Halo blog, po... It is an AI Agent Skill for Claude Code / OpenClaw, with 105 downloads so far.

How do I install Halo Blog Manager?

Run "/install halo-blog-manager" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Halo Blog Manager free?

Yes, Halo Blog Manager is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Halo Blog Manager support?

Halo Blog Manager is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Halo Blog Manager?

It is built and maintained by sirius (@siyrs); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments