ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WordPress API Pro

WordPress REST API integration for managing posts, pages, media, and more on self-hosted WordPress sites. Use when you need to create, update, or retrieve Wo...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 293 · 0 current installs · 0 all-time installs
byBen Kalsky@benkalsky
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The scripts (create/update/list/batch/upload/woo/ACF/Elementor/etc.) match the stated purpose of a WordPress REST API integration. However the registry metadata claims 'no required env vars / no primary credential' while the SKILL.md and all scripts require a WordPress username and Application Password (WP_APP_PASSWORD or per-site app_password in config). That mismatch is an incoherence in the published metadata.
Instruction Scope
SKILL.md and the scripts are explicit about which API calls to make; they only operate against the target WordPress sites. They do instruct you to copy a config file (config/sites.json) that may contain app passwords and to set environment variables (WP_URL/WP_USERNAME/WP_APP_PASSWORD). A minor scope concern: some examples and earlier changelog refer to passing credentials on the command line (which exposes them in process lists) even though a changelog entry claims credentials were moved to environment variables — both methods are still present in examples and many scripts accept CLI args.
Install Mechanism
There is no remote download/install step in the skill bundle (no install spec). Code is included in the package; manual install examples reference a GitHub repo. No suspicious external install URLs or archive extraction steps were found.
!
Credentials
The scripts legitimately require WordPress credentials (username + Application Password or per-site app_password in config), which is proportional to the skill's function. The concern is that the registry metadata did not declare these required environment variables/credentials, and the provided multi-site config file pattern encourages storing app passwords in a local config file (config/sites.json) which could be accidentally committed or mishandled. Also some examples still show CLI credential arguments (exposed via ps), contradicting the changelog claim to avoid that.
Persistence & Privilege
The skill does not request permanent/autonomous elevation (always: false) and does not modify other skills or system-wide settings. It operates only when invoked by the user/CLI wrapper.
What to consider before installing
This skill's code matches its advertised purpose (managing WordPress sites), but the published metadata omitted that it requires WordPress credentials. Before installing: 1) Verify the skill's source (official repo or trusted author). 2) Prefer creating an Application Password with minimal privileges and use environment variables (WP_APP_PASSWORD) rather than placing passwords in config files or passing them on the command line. 3) If you use the multi-site config, store config/sites.json with strict filesystem permissions and do not commit it to git. 4) Inspect the included scripts yourself (they are present) to confirm there are no additional remote endpoints or telemetry. 5) Run the skill in an isolated environment (or on staging sites) first, and avoid giving it credentials for high-privilege accounts. If you want, provide the upstream repository URL or signature so I can re-check origin and reduce uncertainty.

Like a lobster shell, security has layers — review code before you run it.

Current versionv3.2.1
Download zip
latestvk970fp64vk66evxpvd3q85ys2s83sssd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

WordPress API

Interact with WordPress sites via the REST API. Create, update, and manage posts, pages, media, and more on any WordPress installation.

Quick Start

Single Site (Direct)

# Update a post
python3 scripts/update_post.py \
  --url "https://example.com" \
  --username "admin" \
  --app-password "xxxx xxxx xxxx xxxx" \
  --post-id 123 \
  --content "New content here" \
  --status "publish"

Multi-Site (CLI Wrapper) ⭐

# Setup: Copy config template and add your sites
cp config/sites.example.json config/sites.json
# Edit config/sites.json with your sites

# List configured sites
./wp.sh --list-sites

# Update post on specific site
./wp.sh digitizer-studio update-post --id 123 --content "New content"

# Run on all sites in a group
./wp.sh digitizer update-post --id 456 --status "publish"

# Batch update across multiple sites
python3 scripts/batch_update.py --group digitizer --post-ids 123,456 --status "publish"

Authentication

WordPress REST API supports two authentication methods:

1. Application Password (Recommended) ⭐

Setup:

  1. Go to: https://yoursite.com/wp-admin/profile.php
  2. Scroll to "Application Passwords"
  3. Name: "OpenClaw API" (or any name)
  4. Click "Add New Application Password"
  5. Copy the password (shows only once!)

Format: xxxx xxxx xxxx xxxx xxxx xxxx (24 characters with spaces)

Usage: Pass as --app-password to scripts or set WP_APP_PASSWORD environment variable

2. Basic Auth (Legacy)

Requires Basic Auth plugin. Less secure, not recommended for production.

Environment Variables

Set these to avoid passing credentials every time:

export WP_URL="https://example.com"
export WP_USERNAME="admin"
export WP_APP_PASSWORD="xxxx xxxx xxxx xxxx xxxx xxxx"

Multi-Site Management

Configuration

  1. Copy the example config:
cp config/sites.example.json config/sites.json
  1. Edit config/sites.json with your sites:
{
  "sites": {
    "my-site": {
      "url": "https://mysite.com",
      "username": "admin",
      "app_password": "xxxx xxxx xxxx",
      "description": "My WordPress site"
    }
  },
  "groups": {
    "all": ["my-site"]
  }
}

CLI Wrapper (./wp.sh)

# List sites
./wp.sh --list-sites
./wp.sh --list-groups

# Single site operations
./wp.sh my-site update-post --id 123 --content "..."
./wp.sh my-site create-post --title "..." --content "..."
./wp.sh my-site get-post --id 123
./wp.sh my-site list-posts --per-page 10

# Group operations (runs on all sites in group)
./wp.sh all update-post --id 123 --status "publish"

Batch Operations

# Update multiple posts across multiple sites
python3 scripts/batch_update.py \
  --group digitizer \
  --post-ids 123,456,789 \
  --status "publish"

# Update meta field on all sites
python3 scripts/batch_update.py \
  --sites all \
  --post-ids 100 \
  --meta-key "seo_score" \
  --meta-value "95"

# Dry run (see what would happen)
python3 scripts/batch_update.py \
  --group all \
  --post-ids 123 \
  --status "draft" \
  --dry-run

Individual Scripts

All scripts support both command-line arguments and environment variables.

Update Post

python3 scripts/update_post.py \
  --post-id 123 \
  --content "Updated content" \
  --title "New Title" \
  --status "publish"

Supports:

  • Content (HTML or Gutenberg blocks)
  • Title
  • Status (publish, draft, pending, private)
  • Featured image ID
  • Custom fields (meta)

Create Post

python3 scripts/create_post.py \
  --title "New Post" \
  --content "Post content" \
  --status "draft"

Get Post

python3 scripts/get_post.py --post-id 123

Returns full post data as JSON.

List Posts

python3 scripts/list_posts.py --per-page 10 --status "publish"

Options:

  • --per-page N - Posts per page (default: 10, max: 100)
  • --page N - Page number
  • --status STATUS - Filter by status (publish, draft, pending, private)
  • --author ID - Filter by author

Plugin Integration

Detect Plugins

Automatically detect installed WordPress plugins (ACF, Rank Math, Yoast, JetEngine):

python3 scripts/detect_plugins.py
python3 scripts/detect_plugins.py --verbose

ACF (Advanced Custom Fields)

Read and write ACF fields with automatic fallback to postmeta:

# Get all ACF fields
python3 scripts/acf_fields.py --post-id 123

# Get specific field
python3 scripts/acf_fields.py --post-id 123 --field my_field

# Set fields from JSON
python3 scripts/acf_fields.py --post-id 123 --set '{"field1": "value1", "field2": "value2"}'

# Set single field
python3 scripts/acf_fields.py --post-id 123 --field my_field --value "my value"

Features:

  • Automatic REST API detection with postmeta fallback
  • Support for simple, repeater, and group fields
  • JSON input/output for complex field structures

SEO Meta (Rank Math & Yoast)

Read and write SEO meta fields with auto-detection:

# Auto-detect plugin and get meta
python3 scripts/seo_meta.py --post-id 123

# Detect which SEO plugin is active
python3 scripts/seo_meta.py --post-id 123 --detect

# Get specific plugin's meta
python3 scripts/seo_meta.py --post-id 123 --plugin rankmath
python3 scripts/seo_meta.py --post-id 123 --plugin yoast

# Set SEO meta
python3 scripts/seo_meta.py --post-id 123 --set '{"title": "SEO Title", "description": "Meta description"}'

# Set with specific plugin
python3 scripts/seo_meta.py --post-id 123 --plugin rankmath --set '{"focus_keyword": "keyword"}'

Supported fields:

  • Rank Math: title, description, focus_keyword, robots, canonical_url, schema
  • Yoast: title, description, focus_keyword, canonical, meta_robots_noindex, meta_robots_nofollow

JetEngine Fields

Read and write JetEngine custom fields (stored as postmeta):

# Get all JetEngine fields
python3 scripts/jetengine_fields.py --post-id 123

# Get specific field
python3 scripts/jetengine_fields.py --post-id 123 --field my_field

# Set fields from JSON
python3 scripts/jetengine_fields.py --post-id 123 --set '{"field1": "value1", "field2": "value2"}'

# Set single field
python3 scripts/jetengine_fields.py --post-id 123 --field my_field --value "my value"

Elementor Content

Manage Elementor page builder content via _elementor_data meta field:

# Get Elementor data for a page
python3 scripts/elementor_content.py --post-id 123 --action get

# Update specific widget content
python3 scripts/elementor_content.py \
  --post-id 123 \
  --action update \
  --widget-id "abc123" \
  --content "New heading text"

Supported widget types:

  • Headings (heading)
  • Text Editor (text-editor)
  • Buttons (button)
  • Generic fallback for other widgets

How it works:

  • Gets page data with _elementor_data meta field
  • Parses JSON structure
  • Finds widget by ID (recursively through nested elements)
  • Updates content based on widget type
  • Saves back to WordPress

Media Upload

Upload images and files to WordPress media library:

# Upload local file
python3 scripts/upload_media.py \
  --file "/path/to/image.jpg" \
  --title "My Image" \
  --alt-text "Description for accessibility"

# Upload from URL
python3 scripts/upload_media.py \
  --file "https://example.com/image.jpg" \
  --title "Remote Image"

# Upload and set as featured image
python3 scripts/upload_media.py \
  --file "image.jpg" \
  --set-featured \
  --post-id 123

Features:

  • Supports local files and URLs
  • Auto-detects MIME type
  • Returns media ID for further operations
  • Can set as featured image in one call

WooCommerce Products

Manage WooCommerce products via REST API v3:

# List products
python3 scripts/woo_products.py \
  --consumer-key "ck_..." \
  --consumer-secret "cs_..." \
  --action list \
  --per-page 10

# Get single product
python3 scripts/woo_products.py \
  --consumer-key "ck_..." \
  --consumer-secret "cs_..." \
  --action get \
  --product-id 456

# Create product
python3 scripts/woo_products.py \
  --consumer-key "ck_..." \
  --consumer-secret "cs_..." \
  --action create \
  --title "New Product" \
  --price "29.99" \
  --description "Product description" \
  --status "publish"

# Update product
python3 scripts/woo_products.py \
  --consumer-key "ck_..." \
  --consumer-secret "cs_..." \
  --action update \
  --product-id 456 \
  --price "39.99" \
  --status "publish"

Authentication:

  • Requires WooCommerce Consumer Key and Consumer Secret
  • Get from: WooCommerce → Settings → Advanced → REST API
  • Environment variables: WC_CONSUMER_KEY, WC_CONSUMER_SECRET

Supported fields:

  • --title / --name - Product name
  • --price - Regular price
  • --sale-price - Sale price
  • --description - Full description
  • --short-description - Short description
  • --status - publish, draft, pending, private
  • --sku - Stock keeping unit
  • --stock-quantity - Stock amount
  • --manage-stock - Enable stock management

Gutenberg Blocks

WordPress uses Gutenberg block format for content. See references/gutenberg-blocks.md for details.

Example block:

<!-- wp:paragraph -->
<p>This is a paragraph.</p>
<!-- /wp:paragraph -->

API Reference

See references/api-reference.md for complete WordPress REST API documentation.

Common endpoints:

  • /wp-json/wp/v2/posts - Posts
  • /wp-json/wp/v2/pages - Pages
  • /wp-json/wp/v2/media - Media
  • /wp-json/wp/v2/users - Users
  • /wp-json/wp/v2/categories - Categories
  • /wp-json/wp/v2/tags - Tags

Error Handling

All scripts return:

  • Exit code 0 on success
  • Exit code 1 on error
  • JSON output to stdout
  • Error messages to stderr

Security

  • DO: Use Application Passwords
  • DO: Use HTTPS only
  • DO: Store credentials in environment variables
  • DON'T: Hardcode passwords in scripts
  • DON'T: Use Basic Auth in production
  • DON'T: Commit credentials to git

Limitations

  • Requires WordPress 4.7+ (REST API built-in)
  • Requires Application Passwords plugin for WordPress <5.6
  • Some endpoints require specific user permissions
  • Rate limiting depends on host configuration

Files

22 total
Select a file
Select a file to preview.

Comments

Loading comments…