WordPress Ultimate

The skill is mostly what it says (a WordPress REST wrapper) but it contains clear inconsistencies and a risky behavior: it walks up the workspace looking for a .env and blindly exports every key it finds, and the declared required binaries don't match what the scripts actually call.

This skill largely does what it claims (wraps the WP REST API), but review the scripts before installing. Specific things to consider: 1) The scripts search up to five parent directories for a .env and export every key=value found — this can load unrelated secrets from your workspace. Only install or run this skill if you are sure no sensitive .env files exist above the skill directory, or modify the scripts to read only the three required variables. 2) The scripts call python3 and 'file --mime-type' but the SKILL.md lists jq (which isn't used) instead — ensure your runtime has python3 and file, or update the skill to declare accurate dependencies. 3) wp-upload.sh will upload arbitrary files from your workspace to your WP site; do not run it on sensitive files. 4) Consider running the scripts in an isolated/test environment first, and prefer supplying WP credentials via process environment rather than relying on traversing .env files. If you need help hardening the scripts (limit .env lookup, whitelist env keys, avoid exporting everything), review or patch them before use.