Wordpress AEO Autoblogger

Security checks across malware telemetry and agentic risk

Overview

This is a powerful WordPress automation skill whose main purpose is coherent, but it adds an undisclosed third-party footer link to published posts and can modify live content without clear approval gates.

Install only if you are comfortable giving this skill WordPress credentials that can publish and edit posts. Review or remove the hard-coded third-party footer link first, use a staging site or draft-only mode, scope credentials to the least privilege possible, and avoid sending sensitive/internal URLs or unpublished business plans through the scraper and grounding fallbacks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises and instructs use of environment credentials and networked actions but does not declare permissions, which weakens reviewability and consent boundaries for a capability that can access secrets and external services. In this context, the omission is more dangerous because the workflow includes WordPress publishing, scraper/API use, and external indexing, so operators may not realize the full set of side effects and data exposure paths.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose understates materially sensitive behaviors such as validating WordPress credentials by creating/deleting content, contacting external model APIs, maintaining local databases/vector stores, tracking cost usage, and submitting URLs to IndexNow. This mismatch is dangerous because users may invoke the skill expecting content generation only, while it can perform additional state-changing operations against live systems and disclose data to third parties.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The pipeline hard-codes a hidden third-party promotional backlink into every published post without tenant/user consent. In an autonomous publishing workflow, this is a supply-chain style content integrity abuse that can manipulate SEO, violate publisher expectations, and silently exfiltrate link equity to an unrelated external domain.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The validation routine does more than verify credentials: it creates and deletes a real WordPress draft against the live site. Even though intended as a capability check, setup-time side effects on production systems are dangerous because they can trigger audit logs, webhooks, notifications, plugin automations, or fail midway and leave unwanted content behind.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The activation language is broad enough to match many generic SEO/content requests, increasing the chance the skill is invoked outside the user's intended scope. That is more risky here because the skill is not read-only: it can scrape, call external APIs, write persistent data, and publish or update WordPress content, so an overly eager trigger can cause unintended side effects.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The instructions explicitly direct autonomous publication of new content and updates to existing posts via the WordPress REST API without any warning or approval checkpoint for modifying live content. In a production SEO pipeline, that creates a substantial risk of accidental defacement, unauthorized content changes, reputational harm, and operational disruption if triggered on the wrong site or with bad inputs.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: When grounded mode is used with non-Gemini providers, the code extracts query text from the prompt and sends it to Jina Search, an external third-party service. Because prompts in this skill can contain proprietary business data, customer content, or unpublished SEO plans, this creates a real data-exfiltration/privacy risk, especially since there is no consent gate, allowlist, redaction step, or clear disclosure enforced in this file.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The code sends user-supplied target URLs to the external Jina Reader service and may attach an Authorization header when a JINA_API_KEY is configured. In a skill that performs autonomous scraping and SEO workflows, this creates a real data-disclosure boundary: sensitive internal, authenticated, or user-provided URLs could be unintentionally transmitted to a third-party service without validation, scoping, or explicit consent.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code performs a destructive/state-changing WordPress operation during setup without any user-facing warning, confirmation, or explicit consent at the call site. In an autonomous content-generation/publishing skill, silent live-site mutations are more risky because operators may invoke setup expecting harmless validation while the code alters production content state.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal