Back to skill
Skillv1.0.0
ClawScan security
Blog with Wordpress · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 5, 2026, 1:57 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions match its stated purpose (publishing to WordPress) but the package metadata does not declare the credentials and config path the runtime explicitly requires — an incoherence that warrants caution.
- Guidance
- This skill appears to do what it says (publish posts to WordPress), but the SKILL.md expects sensitive credentials in a workspace .env and reads a specific path (/root/.openclaw/workspace/.env) while the skill metadata declares no required env vars or config paths. Before installing: 1) confirm the source/author and trustworthiness since no homepage/source is provided; 2) require the pack author to update metadata to declare WP_BLOG_URL, WP_USERNAME, WP_APP_PASSWORD (and mark WP_APP_PASSWORD as the primary credential) and to list the config path being read; 3) prefer using a WordPress application password tied to a low-privilege user and test on a staging site first (not a production blog); 4) be aware the instructions publish posts with status "publish" — if you want drafts first, modify the workflow; 5) rotate/revoke the application password after testing. If the author cannot or will not fix the metadata discrepancies, treat installation as higher risk and avoid granting credentials.
Review Dimensions
- Purpose & Capability
- noteThe name/description (publish to WordPress, manage categories/tags, generate slugs) align with the runtime steps (calls to the WP REST API to create categories, tags, and posts). Requiring a WordPress URL, username, and application password is appropriate for this functionality, so the actual capability is coherent with the purpose.
- Instruction Scope
- concernThe SKILL.md instructs the agent to source a specific workspace file (/root/.openclaw/workspace/.env) and expects WP_BLOG_URL, WP_USERNAME, and WP_APP_PASSWORD to be present. That file path and those variables are not declared in the skill metadata. The instructions also specify automatically publishing posts (status: "publish") and include a directive to 'TRIGGER this skill whenever user mentions publishing', which increases the impact if invoked autonomously. Aside from these issues, the actions stay within the WordPress REST API domain.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files. That is the lowest-risk install model (nothing is written to disk by the skill package itself).
- Credentials
- concernThe runtime requires WP_BLOG_URL, WP_USERNAME, and WP_APP_PASSWORD (an application password) in a workspace .env, but the registry metadata lists no required env vars or config paths and has no primary credential declared. This mismatch is significant: the skill will consume sensitive credentials but does not declare them in metadata for reviewers or policy controls.
- Persistence & Privilege
- notealways is false and the skill is user-invocable; model invocation is allowed (the platform default). The SKILL.md's explicit 'TRIGGER' text encourages automatic invocation when users mention publishing; combined with the missing-declaration issues above, that increases risk but by itself is not a platform privilege escalation.