WordPress Publisher Skill
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: wordpress-publishing-skill-for-claude Version: 0.1.0 The skill bundle is designed for publishing content to WordPress via its REST API. All code (`wp_publisher.py`, `content_to_gutenberg.py`) and documentation (`SKILL.md`, `README.md`) are clearly aligned with this stated purpose. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or harmful prompt injection against the agent. Network calls are confined to the specified WordPress site, and file access is limited to content for publishing or local script execution. The dependencies are minimal and standard (`requests`).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill may give the agent API access capable of creating or changing WordPress content, depending on the account role.
The skill requires WordPress account credentials. This is expected for the stated publishing purpose, but it gives the agent delegated access to the user's WordPress site.
Ask user for:\n- WordPress site URL\n- WordPress username\n- Application password (NOT regular password)
Use a WordPress application password, not your regular password; use the lowest-privilege account that can do the task; revoke the application password when no longer needed.
A mistaken or overly broad instruction could alter or remove website content, or make draft content public.
The documented capability includes high-impact WordPress mutations, including publishing, updating, deleting, page management, and scheduled/future statuses. These fit a publisher skill but should be user-controlled.
- Create, update, and delete posts\n- Create and manage pages\n- Support for all post statuses (draft, publish, pending, private, future)
Default to drafts, review preview/edit URLs, and require explicit user confirmation before publishing, scheduling, updating existing posts, creating categories, or deleting content.
Users have less registry-level provenance information to rely on before granting access to a WordPress site.
The registry-level source/homepage information is incomplete, while the skill asks for WordPress credentials and can mutate site content. This is a provenance notice, not evidence of malicious behavior.
Source: unknown\nHomepage: none
Verify the package source and author before installing, review the included scripts if possible, and use a limited WordPress application password.