Back to skill
Skillv1.0.0
VirusTotal security
Wopdpress AI Blogger · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:40 AM
- Hash
- dbdcdcd6e79684f1b6a7ca26be8b512eff64a65311902e44fd89462df1074153
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wordpress-api-gutenberg Version: 1.0.0 The skill bundle is designed for legitimate WordPress REST API interactions. However, the Python scripts `scripts/media_uploader.py` and `scripts/wp_publish.py` exhibit a local file inclusion/disclosure vulnerability. Both scripts accept file paths for media uploads (via command-line arguments, CSV files, or JSON configuration). If an attacker can control these input paths, they could specify arbitrary sensitive local files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`). The scripts would then attempt to read these files and upload their content to the configured WordPress site, leading to unintended data disclosure. This is a significant vulnerability, not evidence of intentional malicious behavior by the skill author.
- External report
- View on VirusTotal