← 返回 Skills 市场
682
总下载
2
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install write-my-blog
功能描述
Enables the agent to create, manage, and publish a full-featured blog autonomously. The agent can write posts, upload media, switch between 10 premium design...
安全使用建议
This package appears to be a legitimate self-hosted blog platform, but exercise caution before running its setup or allowing an agent to run it autonomously. Key points to consider:
- The repo and scripts will ask for or expect sensitive credentials (Supabase service role key, MongoDB URIs, Redis URLs) and will write them into platform/.env.local; the skill metadata did not declare these needs. Only provide least-privilege keys, and avoid giving high-privilege service keys unless you understand the implications.
- The setup script can run non-interactively and will overwrite an existing .env.local without prompting in that mode. Don’t run non-interactive setup in an environment where the agent has access to unrelated secrets.
- The setup runs npm install (downloads many packages). Run it in an isolated environment (container/VM) if you want to limit blast radius.
- Review scripts (scripts/setup.sh, deploy-*.sh, and any DB adapter code) yourself before executing. If you plan to deploy, create dedicated deployment/service accounts and rotate keys after use.
- If you want the agent to operate this skill, prefer interactive setup and manual provisioning of cloud credentials rather than exposing them to the agent runtime. If you have questions about specific files or want a focused review of the DB adapters or middleware, ask and I can inspect those parts in detail.
功能分析
Type: OpenClaw Skill
Name: write-my-blog
Version: 0.1.0
The OpenClaw skill bundle is classified as suspicious due to several significant vulnerabilities. The most critical is the use of Next.js version 14.2.21, which is explicitly flagged in `platform/package-lock.json` as having a known security vulnerability. Additionally, the custom `sanitizeHtml` function in `platform/src/lib/auth/middleware.ts` relies on regex for sanitization, which is prone to XSS bypasses, and the Content Security Policy includes `'unsafe-inline'` for scripts, further weakening protections. The skill also allows `image/svg+xml` uploads in `platform/src/app/api/media/route.ts`, which, combined with weak sanitization, presents another XSS vector. While the `SKILL.md` instructions do not exhibit malicious prompt injection, these code vulnerabilities could be exploited to compromise the blog or the agent.
能力评估
Purpose & Capability
The name/description (create/manage/publish a blog) align with the included code (Next.js blog, APIs, themes, deploy scripts). However the registry metadata declares no required env vars or binaries while the shipped scripts and platform clearly expect database keys, cache endpoints, and optional CLIs (Vercel/wrangler). That mismatch between declared requirements and actual needs is an inconsistency.
Instruction Scope
SKILL.md tells the agent to run scripts (scripts/setup.sh, deploy scripts) that will install dependencies, write a .env.local file containing API keys/service credentials, run migrations, and potentially deploy to cloud providers. The instructions permit run_command and file operations but do not restrict paths; the setup script in non-interactive mode overwrites .env.local without prompting. Those behaviors broaden the agent's scope to creating and storing sensitive secrets on disk and interacting with external services.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the provided setup.sh runs 'npm install' which will fetch many public npm packages (package-lock.json included). This is expected for a Next.js app but is a non-trivial install step (network downloads, native optional deps). No obscure download URLs or self-hosted archives were found.
Credentials
The repository and scripts require/consume sensitive credentials (SUPABASE_SERVICE_KEY, MONGODB_URI, REDIS_URL, various DB provider configs) and generate/write an API_KEY into .env.local. Yet the skill metadata lists no required env vars and SKILL.md does not enumerate these upfront. Requesting or writing high-privilege keys (e.g., Supabase service role key) is disproportionate without explicit disclosure. In non-interactive (agent) mode these values must be present in the agent environment or flags, increasing exposure risk.
Persistence & Privilege
The skill does not set always:true and does not modify other skills. It does create/overwrite local configuration (.env.local) and can deploy to external hosts (Vercel/Cloudflare) if run. The non-interactive overwrite behavior and creation of API keys on disk are noteworthy but are normal for deployment scripts.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install write-my-blog - 安装完成后,直接呼叫该 Skill 的名称或使用
/write-my-blog触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
- Initial release of the Write My Blog skill: autonomously create, manage, and publish a professional blog.
- Supports writing posts, media uploads, theme management (10 premium themes), and deployment to Cloudflare or Vercel.
- Compatible with PostgreSQL, SQLite, MongoDB, Turso, and Supabase databases; includes caching options (Redis, KV, in-memory).
- Provides REST API for all operations, with API key authentication and rate limiting.
- Strong content guidelines and security best practices are included to ensure proper attribution, SEO, and safe publishing.
元数据
常见问题
Write My Blog 是什么?
Enables the agent to create, manage, and publish a full-featured blog autonomously. The agent can write posts, upload media, switch between 10 premium design... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 682 次。
如何安装 Write My Blog?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install write-my-blog」即可一键安装,无需额外配置。
Write My Blog 是免费的吗?
是的,Write My Blog 完全免费(开源免费),可自由下载、安装和使用。
Write My Blog 支持哪些平台?
Write My Blog 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Write My Blog?
由 Harsh Raj(@harshraj001)开发并维护,当前版本 v0.1.0。
推荐 Skills