← 返回 Skills 市场
105
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install halo-blog-manager
功能描述
Manage Halo blogs via API - create/edit/delete posts, manage categories/tags, handle comments, upload media. Use when user asks to manage their Halo blog, po...
使用说明 (SKILL.md)
Halo Manager
Manage Halo blogs through the official API.
First-Time Setup
When this skill is first used, ask the user for:
- Blog URL (e.g.,
https://blog.example.com) - Username
- Password
Then save credentials to ~/halo-manager/config.json:
{
"blog_url": "https://blog.example.com",
"username": "your-username",
"password": "your-password"
}
Security Note: Never expose credentials in logs, responses, or shared channels.
Authentication
Halo uses RSA-encrypted password + CSRF token + Session cookie.
Login Flow
- GET
/login- Extract CSRF token and RSA public key - Encrypt password with RSA public key (JSEncrypt)
- POST
/loginwith form data (username, encrypted password, CSRF token) - Receive SESSION cookie for subsequent requests
Session Management
- Use SESSION cookie for all authenticated requests
- If session expires, re-login automatically
- Store session state in
~/halo-manager/session.json
API Endpoints
Console API Base
{blog_url}/apis/api.console.halo.run/v1alpha1/
Posts
| Operation | Method | Endpoint |
|---|---|---|
| List posts | GET | /posts |
| Get post | GET | /posts/{name} |
| Create post | POST | /posts |
| Update post | PUT | /posts/{name} |
| Delete post | DELETE | /posts/{name} |
Categories
| Operation | Method | Endpoint |
|---|---|---|
| List categories | GET | /categories |
| Create category | POST | /categories |
| Update category | PUT | /categories/{name} |
| Delete category | DELETE | /categories/{name} |
Tags
| Operation | Method | Endpoint |
|---|---|---|
| List tags | GET | /tags |
| Create tag | POST | /tags |
| Update tag | PUT | /tags/{name} |
| Delete tag | DELETE | /tags/{name} |
Users
| Operation | Method | Endpoint |
|---|---|---|
| List users | GET | /users |
| Get current user | GET | /users/- |
Comments
| Operation | Method | Endpoint |
|---|---|---|
| List comments | GET | /comments |
| Approve comment | PUT | /comments/{name}/approval |
| Delete comment | DELETE | /comments/{name} |
Media
| Operation | Method | Endpoint |
|---|---|---|
| List attachments | GET | /attachments |
| Upload attachment | POST | /attachments |
| Delete attachment | DELETE | /attachments/{name} |
Common Workflows
Create a Post
- Login to get session
- Prepare post data:
{
"post": {
"spec": {
"title": "Post Title",
"slug": "post-slug",
"content": "Post content in Markdown",
"rawType": "markdown",
"categories": ["category-name"],
"tags": ["tag1", "tag2"],
"publish": true
}
}
}
- POST to
/posts - Verify creation
Upload Media
- Login to get session
- Prepare multipart form data
- POST to
/attachments - Get attachment URL from response
Error Handling
| Status | Meaning | Action |
|---|---|---|
| 401 | Unauthorized | Re-login |
| 403 | Forbidden | Check permissions |
| 404 | Not found | Verify resource exists |
| 500 | Server error | Retry or report |
Output Format
【操作名称】
请求:{method} {endpoint}
状态:{status_code}
结果:成功/失败
详情:...
Security Best Practices
- Never log credentials - Mask passwords in all outputs
- Use HTTPS - Always prefer secure connections
- Session timeout - Re-authenticate when session expires
- Local storage only - Credentials stay on user's machine
References
- API Reference - Complete API documentation
- Examples - Common usage examples
安全使用建议
This skill looks like a legitimate Halo blog manager, but there are a few red flags you should consider before installing or providing credentials:
- The included Python script requires third‑party libraries (requests, PyCryptodome) but the skill does not declare installation steps. The skill may fail to run or the author assumed those packages are present. Ask the author to add an install spec or provide instructions to install dependencies (e.g., pip install requests pycryptodome).
- The tool asks you for your blog username and password and saves them to ~/halo-manager/config.json in plaintext. If you provide credentials, they will be stored unencrypted on disk. Prefer creating a limited-scope account or an API token (if Halo supports it) instead of using your primary account. At minimum, ensure the config file has restrictive file permissions (chmod 600) and is stored on a trusted machine.
- The SKILL.md says 'never expose credentials in logs', but the code still stores the raw password; this is an internal inconsistency. Review the code yourself or run it in a sandboxed environment before trusting it with sensitive credentials.
- If you want to proceed: request the author to (1) declare/install dependencies, (2) support encrypted storage or keychain/OS secrets, and (3) avoid storing plaintext passwords (or document clear file-permission recommendations). If you are unsure, do not provide your production credentials; test with a throwaway account first.
功能分析
Type: OpenClaw Skill
Name: halo-blog-manager
Version: 1.0.0
The halo-blog-manager skill is a legitimate tool for managing Halo CMS blogs via its official API. It handles authentication using RSA encryption and session management, storing credentials and session tokens locally in the user's home directory (~/halo-manager/) as described in SKILL.md and implemented in scripts/halo_login.py. The code follows standard security practices, such as using HTTPS and advising against logging sensitive information, with no evidence of data exfiltration, malicious execution, or prompt injection.
能力评估
Purpose & Capability
The skill's name, docs, and the included Python login script align with managing a Halo blog. However, the skill declares no required binaries/dependencies while the included script imports requests and PyCryptodome (Cryptodome) — a mismatch between declared requirements and actual code.
Instruction Scope
SKILL.md and the script instruct the agent to ask for username/password and save them to ~/halo-manager/config.json; the script stores the password in plaintext. While local storage is reasonable for a client tool, saving an unhashed plaintext password without recommending OS-level protections is a security concern and contradicts the 'never expose credentials' guidance in the SKILL.md.
Install Mechanism
There is no install specification even though the code requires third-party Python packages (requests, PyCryptodome). That absence means the runtime might fail or the skill author expects the environment to already have those packages — either way it is an incoherence and increases operational risk.
Credentials
The skill does not request environment variables or unrelated credentials (good). It does, however, request the user's Halo blog credentials interactively and persists them locally; requiring the service credential is proportionate to the stated purpose but storing them plaintext raises proportionality/privacy concerns.
Persistence & Privilege
The skill is not always-enabled and does not request elevated/platform-wide privileges. It stores its own config and session files under the user's home directory (~/halo-manager) which is expected behavior for a local helper.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install halo-blog-manager - 安装完成后,直接呼叫该 Skill 的名称或使用
/halo-blog-manager触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release - Complete Halo CMS API management skill with authentication, posts, categories, tags, comments, and media support.
元数据
常见问题
Halo Blog Manager 是什么?
Manage Halo blogs via API - create/edit/delete posts, manage categories/tags, handle comments, upload media. Use when user asks to manage their Halo blog, po... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 105 次。
如何安装 Halo Blog Manager?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install halo-blog-manager」即可一键安装,无需额外配置。
Halo Blog Manager 是免费的吗?
是的,Halo Blog Manager 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Halo Blog Manager 支持哪些平台?
Halo Blog Manager 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Halo Blog Manager?
由 sirius(@siyrs)开发并维护,当前版本 v1.0.0。
推荐 Skills