ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WordPress Article Publisher

v1.0.0

Automates the creation and publishing of articles on WordPress sites from provided content, streamlining blog and news post workflows.

0· 36·0 current·0 all-time
by@hsyhph
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description promise automated publishing to WordPress, but the package provides no implementation details, no API/endpoint, and does not declare any WordPress credentials or required binaries — something that would normally be necessary for this purpose.
!
Instruction Scope
SKILL.md is a generic, unfinished template with TODOs rather than runtime instructions. It does not describe how the agent should obtain site URLs, authenticate, or perform publishing; its vagueness grants broad, undefined discretion and makes the skill non-functional as-is.
Install Mechanism
No install spec and no code files are included, so nothing will be downloaded or written to disk by the skill installer.
!
Credentials
A WordPress publisher would normally require at least site URL and credentials (API key, application password, OAuth tokens, or username/password). The skill declares no required env vars or primary credential — either it is non-functional or expects ad-hoc credential entry, which is disproportionate and unclear.
Persistence & Privilege
The skill is not marked always:true and uses default invocation settings; it does not request persistent system-wide privileges.
Scan Findings in Context
[no-regex-findings] unexpected: The regex scanner found nothing (because there are no code files). For a WordPress publishing skill, you'd expect patterns referencing HTTP calls, wordpress/api, wp-json, or credential env names — their absence supports the conclusion that the skill is incomplete.
What to consider before installing
This skill is incomplete and currently just a template: it does not explain how or where it will publish, nor does it declare the credentials it would need. Do not rely on it until the author provides concrete implementation details. Before installing or using it, ask the developer to provide: (1) the exact publishing mechanism (REST API, XML-RPC, application passwords, or OAuth), (2) the required environment variables or credential flow, (3) the minimum permissions required (avoid admin-level credentials), (4) concrete examples of requests/responses or code snippets, and (5) whether any external code will be downloaded during install. If you must test, do so in a sandbox WordPress site with least-privilege credentials and review any added code or install steps before providing real site credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97chthnv6btaza4b9bbcx7bd183wr08

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments