Headless Ghost publishing. Write, audit, and automate your entire Ghost operation from your AI workflow — 16 workflows covering article publishing, batch imports, site health audits, email performance analysis, and tag management. Admin API only. No browser, no dashboard, no context switching.
- Node.js installed locally (node --version to verify)
curl installed (curl --version to verify — standard on macOS/Linux)
Ghost Admin API key stored at �INLINECODE2
If those three aren't ready, start with the Credentials Setup section below. Everything else in this skill assumes they're in place.
A full Ghost CMS publishing skill built from real production use — not a generic API wrapper.
This contains proven workflows, hard-won pitfalls, and patterns from actually running a Ghost Pro newsletter and migrating an entire Squarespace blog in an afternoon.
Dependencies
Most workflows use only Node.js built-ins (fs, https, and the standard HMAC module) and curl — no npm packages required.
The Squarespace/WordPress XML migration workflow optionally uses one npm package:
CODEBLOCK0
Install this only if you are running a migration script. All other workflows (publish, update, schedule, image upload, analytics) require no third-party packages.
Required Access
This skill uses Ghost's Admin API. Here's exactly what it does with your credentials:
Reads: Post list, member count, analytics, post content, image URLs.
Recommended setup: Create a dedicated integration key (Settings > Integrations > Add custom integration > Admin API Key). This covers the full publishing workflow with minimal scope.
The skill never stores credentials beyond the file you configure. No external calls outside your Ghost instance.
Security Model
This skill is designed around minimal-scope credential use. Here's exactly how credential access is scoped and why it's safe:
Use a dedicated integration key, not your owner credentials. Ghost Admin → Settings → Integrations → Add custom integration → copy the Admin API Key. This key is isolated to the integration, fully revocable, and scoped to post/image/member operations — your owner account is never exposed.
The credentials file is read-only at runtime. The skill reads ~/.openclaw/credentials/ghost-admin.json to generate a short-lived JWT (5-minute expiry). Nothing is written back to the file. Tokens are captured to shell variables, never logged or persisted.
No external calls outside your Ghost instance. Every API call targets your Ghost domain only. No third-party services, no telemetry, no data leaves your site.
Revocation is instant. If you need to cut access, delete the integration in Ghost Admin → Settings → Integrations. All tokens derived from that key immediately stop working.
Keep the credentials file out of shared folders and version control. Restrict access to your user account only using your OS file permission settings.
What This Skill Won't Do
Ghost's Admin API integration tokens cannot access certain owner-level operations:
- Staff management — owner-only, no API path
Site settings / code injection — API token returns 403 NoPermissionError by design
Redirects and routes files — GET/POST /ghost/api/admin/redirects/ returns 403 with integration tokens. Must upload via Ghost Admin → Settings → Labs → Beta features → Redirects upload button
Theme management (upload + activation) is fully supported via the Admin API — see Workflow 15 below.
If you hit a NoPermissionError on settings write endpoints, that is expected Ghost behavior — not a bug.
Credentials Setup
Create a credentials file at ~/.openclaw/credentials/ghost-admin.json:
Get your key: Ghost Admin > Settings > Integrations > Add custom integration > Admin API Key.
Covers: all post operations, image uploads, scheduling, newsletters, analytics, batch updates.
Authentication
Ghost uses short-lived JWT tokens. Generate one before every API call — they expire in 5 minutes.
Pure Node.js — no npm required.
Token generation uses Node.js built-ins (fs and the standard HMAC module) and the Admin API key format (id:secret). The full implementation is in references/api.md under Authentication — copy the token generation script into your workflow, capture the output to a shell variable, and pass it as Authorization: Ghost {token} on all requests.
Tokens expire in 5 minutes. Regenerate before each API call or every 50 posts in batch operations.
Core Operations
Publish a post + send as newsletter (one call)
CODEBLOCK2
This is the killer feature — one API call publishes to the web and sends to all subscribers simultaneously. Do not publish first and try to send separately. Use Ghost admin to manually resend if you miss this.
Create a draft
Same as above with "status": "draft". No email sent.
Update an existing post
CODEBLOCK3
List posts
CODEBLOCK4
Upload image
CODEBLOCK5
Schedule a post
Add "status": "scheduled" and "published_at": "2026-03-20T18:00:00.000Z" (UTC).
HTML Content
Always use ?source=html in the request URL. Ghost accepts raw HTML in the html field.
Standard article:<p>, <h2>, <h3>, <hr>, <blockquote>, <ul>, �INLINECODE30
Book-style literary typography — ideal for fiction, essays, and long-form literary content:
CODEBLOCK6
YouTube embed:
CODEBLOCK7
Email rules — critical:
- JS is stripped in email delivery. No scripts or interactive elements.
Subscribe widgets are web-only — stripped from email.
Ghost wraps content in its own email template. Don't add headers or footers.
The email_segment field only fires on first publish. It must be in the same API call as "status": "published".
Migration Workflows
See references/workflows.md for full migration playbooks:
- Squarespace XML export > Ghost batch import (proven — full blog migrated in one afternoon)
Theme management (JWT upload where supported; Ghost Admin fallback)
Site audit — scan all published posts for missing feature images, excerpts, meta descriptions, tags, stale slugs, and untouched content (Workflow 14)
Content performance intelligence — three-section report: email performance (open rate, click rate, CTO, divergence analysis), web-only post health + amplification candidates, pages health snapshot. Audience snapshot with subscriber tier breakdown. (Workflow 15)
See references/api.md for complete endpoint documentation, error codes, and token generation details.
Common Pitfalls
- 409 on PUT — must include updated_at from a fresh fetch
Email not sending — email_segment only fires on first publish; use Ghost admin to resend
Rate limiting — add 500ms delay between calls in batch scripts
Token expired mid-batch — regenerate every 50 posts in long operations
INLINECODE38� in fields param causes 400 BadRequestError — use &include=tags instead
External script tag in code injection pointing to a local/LAN hostname will silently fail on the live HTTPS site — mixed content + Private Network Access policy blocks it. All search/widget JS must be inline in the code injection block.
INLINECODE42� always returns 403 with integration tokens — site settings require owner access in Ghost Admin
INLINECODE44� also returns 403 — get Content API key from site HTML source instead (data-key= attribute on portal/search script tags)
Custom theme: {{content}} must be triple-braced — in any custom .hbs template, always use {{{content}}} (three braces). Double-braced {{content}} escapes the HTML and renders undefined instead of the post body.
Custom excerpts drive search — Ghost's Content API fields=excerpt returns the custom excerpt, not body text. If a post needs to surface in client-side search for a keyword, that keyword must appear in the custom excerpt.
Links inside HTML cards in Lexical are double-escaped — regex on "url":"..." fields won't find them. Use json.dumps(lexical) → string replace → json.loads() to safely find and replace any URL pattern inside embedded HTML.
Ghost's sitemap is always clean — Ghost Pro auto-generates sitemaps using the configured site URL. No manual sitemap editing needed.
Squarespace migration leaves /blog/ links — batch imports preserve old internal link paths with the /blog/ prefix. After any Squarespace import, audit all posts for /blog/ references and fix them via the API.
POST /admin/redirects/upload/ returns 403 — redirect rules must be uploaded manually via Ghost Admin → Settings → Labs → Redirects upload button. The API endpoint is blocked for integration tokens by design.
Tag Management
Ghost's Admin API supports full tag CRUD. These endpoints require an Admin-level token (owner or staff with Admin role). Integration tokens return 403 — if that happens, see the safe-mode note below.
List all tags
CODEBLOCK8
Create a tag
CODEBLOCK9
Update a tag
CODEBLOCK10
Delete a tag
CODEBLOCK11
Bulk assign a tag to multiple posts
CODEBLOCK12
Safe-mode note: All tag write endpoints (POST, PUT, DELETE) require owner-level Admin API credentials. If you get a 403, either switch to an owner token or manage tags manually in Ghost Admin → Settings → Tags. The list endpoint (GET) works with standard integration tokens.
License
MIT. Copyright (c) 2026 @highnoonoffice. Retain this notice in any distributed version.
Ghost Publishing Pro
安装前须知
本技能有三个硬性要求:
- Node.js 已本地安装(通过 node --version 验证)
curl 已安装(通过 curl --version 验证——macOS/Linux 系统标配)
Ghost Admin API 密钥 存储在 ~/.openclaw/credentials/ghost-admin.json
如果这三项尚未就绪,请先阅读下方的凭据设置部分。本技能中的其他所有内容均假定这些条件已满足。
一个完整的 Ghost CMS 发布技能,基于真实生产环境构建——绝非通用的 API 封装。
其中包含经过验证的工作流程、来之不易的经验教训,以及实际运营 Ghost Pro 通讯和在一个下午内迁移整个 Squarespace 博客的模式。
