ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WordPress REST API CLI

v1.0.0

OpenClaw skill that provides a WordPress REST API CLI for posts, pages, categories, tags, users, and custom requests using plain HTTP.

0· 80·0 current·0 all-time
by@akkualle
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description, SKILL.md, and scripts/wp-cli.js are coherent: a WordPress REST API CLI legitimately needs WP_BASE_URL and optional auth tokens. However the registry metadata declared 'required env vars: none' while SKILL.md and the code require WP_BASE_URL and accept WP_BASIC_TOKEN / WP_USER + WP_APP_PASSWORD / WP_JWT_TOKEN. That omission in metadata is an inconsistency to be aware of.
Instruction Scope
Runtime instructions and the script operate only against the configured WP_BASE_URL REST endpoints and use only standard JSON bodies. The script will read local files referenced with the @path convention (fs.readFileSync) and environment variables for auth; there are no references to unrelated system files, hidden endpoints, or unexplained network destinations.
Install Mechanism
There is no remote download/install spec in the registry; the SKILL.md expects a normal npm install (package.json included). No arbitrary URL downloads or extraction steps are present in the provided files.
Credentials
The environment variables used by the code (WP_BASE_URL, WP_BASIC_TOKEN, WP_USER, WP_APP_PASSWORD, WP_JWT_TOKEN) are appropriate for a WordPress CLI. The concern is purely that the registry metadata did not declare these required env vars — the code will fail or exit if WP_BASE_URL is missing. No unrelated credentials or services are requested.
Persistence & Privilege
Skill does not request always:true, does not modify other skills or system settings, and has normal autonomous-invocation defaults. It does not persist credentials itself or claim system-wide privileges.
Assessment
This skill's code implements a straightforward WordPress REST CLI and appears to do only WordPress API calls. Before installing: (1) confirm you supply WP_BASE_URL and only the minimum-privilege credentials (prefer a dedicated bot account and application password); (2) note the registry metadata omitted required env declarations — treat that as a bookkeeping issue and double-check env names expected by the script; (3) be careful when using the @file feature (do not pass paths to sensitive local files you don't intend to send); (4) review the included scripts/wp-cli.js locally if you want to verify there's no outbound traffic to unexpected hosts; and (5) run npm install in an isolated environment if you have concerns about dependencies.
scripts/wp-cli.js:48
Environment variable access combined with network send.
!
scripts/wp-cli.js:132
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9721g8k75kmt739r1t8g6xkyx83ppmv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments