ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wordpress REST API

v1.0.0

OpenClaw skill that provides a WordPress REST API CLI for posts, pages, categories, tags, users, and custom requests using plain HTTP.

7· 3.9k·23 current·23 all-time
by@codedao12
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, package.json, and scripts/wp-cli.js all describe a WordPress REST API CLI and the code implements exactly that. However, the registry metadata claims ‘Required env vars: none’ while the SKILL.md and code require WP_BASE_URL (and optionally WP_BASIC_TOKEN, WP_USER/WP_APP_PASSWORD, or WP_JWT_TOKEN). This is an inconsistency in metadata, but the requested envs are appropriate for the stated purpose.
Instruction Scope
SKILL.md instructions and the CLI script confine actions to constructing HTTP requests against a user-provided WordPress base URL and reading optional local JSON files (for bodies). There are no instructions to read unrelated system files, call external endpoints other than the specified WP_BASE_URL, or collect arbitrary credentials.
Install Mechanism
There is no platform-level install spec (lowest risk). The bundle contains package.json and instructs running npm install and node scripts/wp-cli.js; that is consistent with a Node CLI. No downloads from untrusted URLs or extract/install steps are present.
Credentials
The code expects WP_BASE_URL and optional WP credentials (basic token, username+app password, or JWT). Those are proportionate for a WordPress CLI. The only issue is the registry metadata omits these required env vars — the omission could mislead users into thinking no credentials are needed.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges (always is false). It does not modify other skills or system-wide settings.
Assessment
This skill appears to do exactly what it says: a Node CLI that talks to a WordPress site via its REST API. Before installing or running it: 1) Confirm the WP_BASE_URL you supply is correct and points to a site you control or trust. 2) Use a dedicated, low-privilege WordPress account (Application Password) for automation and avoid giving admin credentials if not needed. 3) The registry metadata incorrectly states there are no required env vars — expect to set WP_BASE_URL and one of the credential options (WP_BASIC_TOKEN or WP_USER+WP_APP_PASSWORD or WP_JWT_TOKEN). 4) Review scripts/wp-cli.js locally before running and avoid pasting secrets into public repos; the script will read local JSON files specified with @file, so ensure file paths are safe. 5) Run in an isolated environment if you want to limit blast radius (e.g., container or dedicated CI runner).

Like a lobster shell, security has layers — review code before you run it.

latestvk97d9yabgqrtrrwm0ex1m5hh5180ddcg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments