Back to skill

Security audit

Elementor Pro Studio

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed WordPress/Elementor automation helper with real setup and credential risks, but its behaviors match its stated purpose and are user-directed.

Install this only for WordPress sites you control. Prefer a staging or local site, use a least-privileged WordPress Application Password, keep .mcp.json out of version control, rotate the password after use, and pin EMCP_PIN_VERSION if you do not want the setup script to install whatever the latest GitHub release is at runtime.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The skill first says to ask the user before doing anything, then later instructs the agent to always run multiple MCP calls first. Contradictory instructions increase the chance an agent will perform networked reads against a live WordPress site without clear user consent, which can expose site metadata and violate least-astonishment. In a tool-using agent, ambiguous precedence is a real safety flaw because the model may follow the more specific operational block instead of the earlier guardrail.

External Transmission

Medium
Category
Data Exfiltration
Content
# EMCP_PIN_VERSION (e.g. EMCP_PIN_VERSION=v1.10.0) before running this script.
  EMCP_PIN_VERSION="${EMCP_PIN_VERSION:-}"
  if [ -n "$EMCP_PIN_VERSION" ]; then
    EM_RELEASE_API="https://api.github.com/repos/Digitizers/elementor-mcp/releases/tags/${EMCP_PIN_VERSION}"
    info "Downloading the elementor-mcp fork — pinned to ${EMCP_PIN_VERSION} (trusted Digitizers repo, HTTPS)..."
  else
    EM_RELEASE_API="https://api.github.com/repos/Digitizers/elementor-mcp/releases/latest"
Confidence
88% confidence
Finding
https://api.github.com/

External Transmission

Medium
Category
Data Exfiltration
Content
EM_RELEASE_API="https://api.github.com/repos/Digitizers/elementor-mcp/releases/tags/${EMCP_PIN_VERSION}"
    info "Downloading the elementor-mcp fork — pinned to ${EMCP_PIN_VERSION} (trusted Digitizers repo, HTTPS)..."
  else
    EM_RELEASE_API="https://api.github.com/repos/Digitizers/elementor-mcp/releases/latest"
    info "Downloading the elementor-mcp fork (bundles the MCP Adapter, latest release from the trusted Digitizers repo over HTTPS; set EMCP_PIN_VERSION to pin a tag)..."
  fi
  EM_ZIPBALL=$(curl -s "$EM_RELEASE_API" \
Confidence
88% confidence
Finding
https://api.github.com/

Session Persistence

Medium
Category
Rogue Agent
Content
#!/usr/bin/env bash
# =============================================================================
# setup-elementor-mcp.sh — Wire up the Elementor MCP server against a
# WordPress site (Local-by-Flywheel or live host) and write a .mcp.json
# in the current directory so Claude Code can drive Elementor.
#
# Usage:  bash ~/.claude/scripts/setup-elementor-mcp.sh
Confidence
99% confidence
Finding
write a .mcp.json # in the current directory so Claude Code can drive Elementor. # # Usage: bash ~/.claude

External Script Fetching

High
Category
Supply Chain
Content
EM_RELEASE_API="https://api.github.com/repos/Digitizers/elementor-mcp/releases/latest"
    info "Downloading the elementor-mcp fork (bundles the MCP Adapter, latest release from the trusted Digitizers repo over HTTPS; set EMCP_PIN_VERSION to pin a tag)..."
  fi
  EM_ZIPBALL=$(curl -s "$EM_RELEASE_API" \
    | python3 -c "$JQ_LENIENT_PY"'
import sys
d = _load(sys.stdin.read())
Confidence
97% confidence
Finding
curl -s "$EM_RELEASE_API" \ | python

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.