WordPress Publisher Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is built for WordPress publishing, but it handles live-site write access and credentials in ways users should review carefully before installing.

Install only for WordPress sites you control. Use a least-privilege application password, avoid passing it directly in shell commands, verify the site URL, default to draft/preview, and require explicit confirmation before publishing, updating, deleting, or creating categories and tags.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill’s advertised purpose is publishing WordPress content, but it also creates new categories and tags automatically when names do not already exist. This expands the scope of side effects beyond simple publishing and can unexpectedly mutate site taxonomy, which is risky in an agent setting where users may not realize content publication can also create persistent organizational objects.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The code exposes a delete_post capability even though the skill description focuses on publishing, previewing, and updating content. Hidden destructive functionality is dangerous for agent tooling because it increases the chance of unintended data loss or misuse by upstream orchestration that assumes the skill is non-destructive.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The manifest uses very broad trigger phrases such as 'user wants to publish to WordPress' and 'convert markdown to Gutenberg blocks' without narrowing when the skill should or should not activate. In a skill that can directly modify remote CMS content, this increases the chance of over-invocation or accidental use in adjacent contexts, potentially leading to unintended publication or edits on a live WordPress site.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The manifest advertises direct publishing, post updates, and category loading from a website but does not warn users that the skill can perform remote state-changing actions against a live WordPress instance. In this context, missing safety language is significant because the skill is specifically designed to modify external content systems, so users may not appreciate that invoking it can immediately alter production data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The bug report template explicitly asks users to paste error messages and logs, but provides no warning that logs may contain credentials, tokens, API keys, cookies, internal URLs, or other sensitive operational data. In a public GitHub issue tracker, this creates a realistic risk of inadvertent secret disclosure and information leakage.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Requesting a reproducible code example without instructing users to remove secrets can lead them to post hardcoded credentials, endpoint details, or private content snippets. Given this skill publishes to WordPress via REST APIs, example code is especially likely to contain tokens, usernames, site URLs, or authentication headers that could be abused if exposed publicly.

Missing User Warnings

Medium

Confidence: 77% confidence
Finding: The changelog advertises destructive operations such as deleting posts and changing publication state without any indication of safeguards, warnings, or confirmation requirements. In a content-management skill with authenticated API access, insufficiently disclosed destructive actions can lead to accidental content loss or unauthorized modification if invoked ambiguously or through prompt misuse.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The file describes authenticated WordPress REST API use and, elsewhere in the changelog, media uploads, but provides no warning that content, credentials, and uploaded assets may be transmitted to a remote WordPress instance. In a publishing skill, this omission can mislead users about privacy boundaries and increase the chance of exposing draft content or sensitive media to external systems.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The README documents a direct publish path using status="publish" and presents it as normal usage without an explicit warning that this causes immediate live-site changes. In an agent skill context, this increases the risk of accidental destructive or reputational impact because an agent or user may invoke publishing without a human review step.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The usage examples instruct users to pass the WordPress application password directly on the command line. Command-line arguments are commonly exposed through shell history, process listings, audit logs, and CI job logs, which can leak credentials to other local users or logging systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal