Back to skill

Security audit

Wordpress REST API

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed WordPress API automation skill, but it can change or delete WordPress content when configured with powerful credentials.

Install only if you want an agent to operate a WordPress site through the REST API. Use a dedicated low-privilege application password, set WP_BASE_URL to the intended HTTPS site, prefer draft workflows, require explicit approval for create/update/delete/publish/raw request actions, and never pass secrets or unrelated local files through @file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill explicitly relies on environment variables for credentials and on outbound network access to a WordPress instance, but the metadata does not declare those capabilities. Undeclared env and network use weakens reviewability and consent, because an agent or operator may invoke a skill with secret-bearing environment access and remote write capability without clear permission signaling.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The generic `request` command expands the skill beyond its declared resource-scoped WordPress CLI into an arbitrary authenticated API caller for any endpoint under the WordPress REST API root. In an agent context, this increases the attack surface because prompts or downstream tools can invoke privileged endpoints not covered by the advertised interface, including plugin/custom endpoints with sensitive side effects.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The `@file` syntax allows the caller to read arbitrary local files and embed their contents into outbound authenticated requests. In an agent setting, this creates a local-file-to-network exfiltration primitive: a malicious prompt can direct the tool to read sensitive local JSON files and send them to a remote WordPress instance.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill advertises create, update, and delete operations for WordPress posts and pages, plus raw requests, but does not prominently warn that these commands can modify or permanently remove production content. In automation contexts this increases the chance of unintended destructive actions, especially when credentials belong to an Editor/Admin account and the skill is positioned as 'production-ready.'

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script performs authenticated create, update, and delete operations directly against WordPress content without any confirmation, dry-run mode, or safety interlock. In an autonomous or semi-autonomous agent environment, this makes accidental or prompt-induced destructive changes to production content more likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The generic request path can issue arbitrary authenticated HTTP methods and bodies to any WordPress REST endpoint under the configured site, without warning or guardrails. This is more dangerous than the resource-specific commands because it can reach custom/plugin endpoints and trigger unexpected data disclosure or state changes outside the advertised scope.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/wp-cli.js:48