Back to skill

Security audit

WordPress MCP

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate WordPress MCP skill, but it gives an agent broad live-site authority over content, users, settings, code, database, ecommerce, and public publishing with limited safety guidance.

Install only if you intend to let an agent administer a specific WordPress site. Use the least-privileged token possible, keep optional MCP features disabled unless needed, avoid SQL/Dynamic REST/plugin/theme editing on production, do not commit tokens, and require explicit human approval for public, destructive, financial, user-management, settings, database, or code-changing actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The reference exposes user-management primitives such as listing users, creating users, and updating user attributes, which materially expand the skill from content management into identity and access administration. In an agent setting, these capabilities can be abused to enumerate accounts, create unauthorized users, or modify privileged accounts if the agent is induced or misdirected into using them.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Arbitrary option read/write access gives the skill broad control over WordPress configuration well beyond normal content workflows. Because many WordPress options influence authentication, plugins, site behavior, and integrations, exposing generic get/update operations creates a powerful and unnecessary capability that can enable site takeover, security weakening, or stealthy persistence.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documented capability set materially expands from ordinary WordPress content/site administration into arbitrary theme/plugin source modification and direct database access. In an agent skill, this creates a powerful code-execution and persistence pathway: an LLM induced by a prompt can alter PHP files, implant backdoors, disable security controls, or damage the site well beyond the expected scope of content management.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Direct arbitrary SQL is especially dangerous because it bypasses application-layer validation, authorization, and safety controls. Even if the note says to use it cautiously, exposing raw query execution through an AI-facing tool allows prompt-driven data exfiltration, privilege manipulation, destructive writes, or subtle persistence in the WordPress database.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The reference explicitly exposes highly privileged primitives: arbitrary plugin/theme file reads and writes, plugin installation/activation, and raw SQL execution. In an agent skill for general WordPress management, these capabilities materially expand scope from content administration into code execution, persistence, and direct database tampering, creating a dangerous path to full site compromise if the agent is prompted, misused, or manipulated.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The Dynamic REST section provides generic raw access to REST GET/POST/PUT/DELETE endpoints, which can bypass the safer, purpose-built tool abstractions and expose broader mutation surface than the skill description suggests. That flexibility increases the risk of unintended destructive actions, privilege abuse, or access to sensitive administrative endpoints if an agent is steered to use raw endpoint calls.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill description includes very broad activation criteria such as 'any WordPress admin task' and 'also use when asked about WordPress site management,' which can cause the skill to be invoked in contexts far beyond narrowly scoped, user-intended operations. Because this skill can drive authenticated administrative actions against a live WordPress site, overbroad triggering increases the chance of unintended destructive or sensitive operations being proposed or executed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to store a bearer token in TOOLS.md without any guidance on secure handling, least privilege, redaction, or avoiding exposure in prompts, logs, or version control. Since the token grants authenticated access to a WordPress MCP endpoint that may expose administrative capabilities, disclosure could enable unauthorized content changes, site reconfiguration, plugin/theme actions, or broader compromise depending on enabled features.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document lists many destructive or state-changing operations—such as delete, update, create, alter, and option/plugin-affecting actions—without any guidance for confirmation, preview, rollback, or user warning. In an LLM-driven workflow, omission of these safety expectations increases the chance of accidental destructive actions, prompt-induced misuse, and irreversible administrative changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Theme file write, search-replace, and delete operations can directly alter executable PHP, templates, and assets, which can break site availability or implant malicious behavior. Presenting these actions without strong user-facing warnings and approval steps increases the chance that an AI agent performs destructive or security-sensitive modifications as part of a routine request.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Plugin creation, modification, activation, and deletion affect executable code and the site's security boundary, making them highly sensitive administrative actions. Without prominent warnings and safeguards, an LLM can be steered into adding vulnerable code, disabling protections, or deleting essential functionality, causing compromise or downtime.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The feature reference advertises destructive and write-capable operations such as create, update, alter, and delete without any warning about data loss, site integrity, or the need for confirmation. In an AI-driven admin workflow, omission of such warnings makes accidental or prompt-induced destructive actions more likely because the reference normalizes high-impact operations as routine.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The reference exposes a write-capable tool for `robots.txt` without any warning, authorization guidance, or explanation that this file affects site-wide crawling and indexing behavior. In a WordPress admin automation skill, this is dangerous because an agent could unintentionally or manipulatively block search engines, alter crawler access, or degrade site visibility across the entire site.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The reference documents destructive and high-impact commerce actions such as deleting products, issuing refunds, changing order status, updating stock, and modifying customer data without any warning, confirmation guidance, or guardrails. In an AI-driven admin workflow, this increases the chance of accidental or unauthorized operational changes that can directly affect revenue, inventory integrity, and customer experience.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.