WordPress Publisher Skill
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for WordPress publishing, but it needs WordPress application-password access and can change public site content, so users should preview and approve actions carefully.
This appears to be a normal WordPress publishing skill. Before installing or using it, verify the source, use a dedicated WordPress application password with the least privilege practical, start with draft mode, preview the result, and explicitly approve any publish, schedule, update, category creation, media upload, or deletion action.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill may give the agent API access capable of creating or changing WordPress content, depending on the account role.
The skill requires WordPress account credentials. This is expected for the stated publishing purpose, but it gives the agent delegated access to the user's WordPress site.
Ask user for:\n- WordPress site URL\n- WordPress username\n- Application password (NOT regular password)
Use a WordPress application password, not your regular password; use the lowest-privilege account that can do the task; revoke the application password when no longer needed.
A mistaken or overly broad instruction could alter or remove website content, or make draft content public.
The documented capability includes high-impact WordPress mutations, including publishing, updating, deleting, page management, and scheduled/future statuses. These fit a publisher skill but should be user-controlled.
- Create, update, and delete posts\n- Create and manage pages\n- Support for all post statuses (draft, publish, pending, private, future)
Default to drafts, review preview/edit URLs, and require explicit user confirmation before publishing, scheduling, updating existing posts, creating categories, or deleting content.
Users have less registry-level provenance information to rely on before granting access to a WordPress site.
The registry-level source/homepage information is incomplete, while the skill asks for WordPress credentials and can mutate site content. This is a provenance notice, not evidence of malicious behavior.
Source: unknown\nHomepage: none
Verify the package source and author before installing, review the included scripts if possible, and use a limited WordPress application password.