ClawHub

Wordpress OAuth

v1.0.0

Start and complete WordPress.com OAuth and publish posts through the WordPress.com REST API. Use when you need to generate an authorization URL, exchange cal...

0· 126·0 current·0 all-time
byIbrahim El Nemr@ibrahimelnemr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (WordPress OAuth + publish) match the code and instructions. The script only contacts wordpress.com OAuth and REST endpoints and writes local state/credentials; no unrelated services, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructs the user to run the included Python script and to supply client id/secret/redirect/site via flags or shell variables. The instructions and script operate only on files inside the skill directory (oauth_state.json, credentials.json) and the WordPress API. Minor mismatch: SKILL.md references env vars by name (e.g., WPCOM_CLIENT_ID), but the script reads values from CLI flags (examples use shell variable expansion, which is fine).
Install Mechanism
No install spec; the skill is delivered as source (one Python file and SKILL.md). No third-party downloads, package installers, or archive extraction are used.
Credentials
The skill does not declare required environment variables in the registry metadata, but it expects client ID/secret/redirect/site to be provided at runtime (via flags or shell-expanded env vars). Requesting client secret and storing an access_token is appropriate for OAuth; storing credentials.json locally is expected but is sensitive and should be protected.
Persistence & Privilege
always is false and the skill stores state/credentials only in its own directory. It does not modify other skills or system-wide configuration. The skill can be invoked autonomously by the agent (platform default), which is normal for skills of this type.
Assessment
This skill appears to do what it claims: run an OAuth flow against WordPress.com and publish posts. Before installing or using it, consider: 1) The skill will create oauth_state.json and credentials.json in the skill directory containing sensitive tokens and client secrets—keep that directory private and back up/remove credentials when no longer needed. 2) Supply client_id/secret/redirect/site via CLI flags or secure shell environment variables (examples use shell expansion). 3) The script attempts to set restrictive file permissions but may not succeed on all OSes—verify the files are not world-readable. 4) Review the full Python file (the repository includes the code) yourself if you need higher assurance (the provided snippet is consistent, but the file was truncated in the listing). 5) If you plan to allow autonomous agent invocation, be aware the agent could call publish-post using stored credentials—limit that capability if you don't want unattended publishing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973p60gq1k5nm5wraqa0fkdgs82y3wh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

WordPress OAuth Skill

Use this skill to run a human-in-the-loop OAuth flow and publish posts with a stored bearer token.

Files in this skill

  • Script: {baseDir}/wp_oauth_skill.py
  • OAuth state store: {baseDir}/oauth_state.json
  • Credential store: {baseDir}/credentials.json

This skill stores state and credentials in files inside this skill directory.

Commands

Run the script with Python 3:

python3 {baseDir}/wp_oauth_skill.py --help

1) Begin OAuth

python3 {baseDir}/wp_oauth_skill.py begin-oauth \
  --client-id "$WPCOM_CLIENT_ID" \
  --redirect-uri "$WPCOM_REDIRECT_URI" \
  --scope "posts media" \
  --blog "$WPCOM_SITE"

Returns auth_url and state. Open the URL, approve access, then copy the callback URL.

2) Exchange Token

python3 {baseDir}/wp_oauth_skill.py exchange-token \
  --client-id "$WPCOM_CLIENT_ID" \
  --client-secret "$WPCOM_CLIENT_SECRET" \
  --redirect-uri "$WPCOM_REDIRECT_URI" \
  --callback-url "https://example/callback?code=...&state=..."

Validates CSRF state, exchanges code for token, and writes credentials to {baseDir}/credentials.json.

3) Token Info

python3 {baseDir}/wp_oauth_skill.py token-info --client-id "$WPCOM_CLIENT_ID"

Checks token validity with WordPress token-info endpoint.

4) Publish Post

python3 {baseDir}/wp_oauth_skill.py publish-post \
  --site "$WPCOM_SITE" \
  --title "My post" \
  --content "<p>Hello from OpenClaw</p>" \
  --status draft

Publishes a post via POST /rest/v1.1/sites/$site/posts/new using the stored token.

Recommended flow

  1. Run begin-oauth.
  2. Open auth_url in browser and authorize.
  3. Paste callback URL into exchange-token.
  4. Optionally run token-info.
  5. Run publish-post.

Security notes

  • Never share credentials.json or client secrets.
  • Keep first test posts as draft.
  • Re-run begin-oauth if callback state fails or auth code expires.

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…