ClawHub

WordPress MCP

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate-looking WordPress MCP helper, but it gives an agent broad, persistent authority over a live WordPress site, including code, database, ecommerce, and public-posting actions.

Install only if you intend to let an agent administer the selected WordPress site. Use the least-privileged token available, keep optional MCP features disabled unless needed, avoid SQL/Dynamic REST/plugin/theme editing on production, require explicit approval for public, destructive, financial, or code-changing actions, and rotate the token if it is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
This reference documents capabilities such as user creation/updates, option changes, and plugin enumeration, which materially expand the reachable administrative surface beyond ordinary content-editing workflows. In an agent skill, overbroad documented tools can lead the model to perform sensitive site-administration actions when the user only intended editorial tasks, increasing the risk of privilege misuse, account changes, or configuration tampering.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The file documents powerful developer capabilities—theme/plugin filesystem modification and direct database access—that materially expand the skill beyond ordinary content-management tasks. In an AI-driven MCP context, exposing these primitives increases the chance of destructive or privilege-abusing actions, especially if a user prompt is ambiguous or adversarial.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
`wp_db_query` enables arbitrary SQL execution, which can bypass normal WordPress permission, validation, and audit boundaries. In an agent skill, this creates a direct path to read sensitive data, alter site state, destroy content, or tamper with security-relevant records if the model is tricked or misused.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The documented `wp_db_query(query)` capability exposes direct SQL execution for arbitrary SELECT/INSERT/UPDATE/DELETE operations, which is substantially broader and riskier than normal WordPress content-management functions. In an agent-driven context, this can bypass application-level safeguards, enable mass data modification or exfiltration, and amplify prompt-injection or operator mistakes into full database compromise.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Plugin/theme file write operations (`wp_plugin_put_file`, `wp_theme_put_file`) and install/activate capabilities allow arbitrary code or behavior changes on the WordPress instance. In practice, this is equivalent to remote code modification and can lead to site takeover, malware insertion, persistence, credential theft, or supply-chain abuse if an agent is manipulated into using these tools.

Context-Inappropriate Capability

Low
Confidence
80% confidence
Finding
Generic raw REST mutation tools (`wp_rest_post`, `wp_rest_put`, `wp_rest_delete`) expose a broad, low-level interface that can reach functionality beyond the curated tool set. This increases the chance that an agent can be induced to perform unexpected privileged actions, bypass intended guardrails, or interact with sensitive endpoints not anticipated by the skill description.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill description is excessively broad, explicitly saying to use it for 'any WordPress admin task' and for general 'WP-related tasks.' That can cause over-invocation in situations where the user did not intend privileged site administration, increasing the chance of unnecessary access to sensitive admin capabilities.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs users to store a bearer token in TOOLS.md without any warning about credential sensitivity, least privilege, rotation, or avoiding accidental disclosure. Because bearer tokens grant direct authenticated access to WordPress administrative functions, insecure handling could enable full site compromise or unauthorized content and configuration changes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises powerful administrative operations including content changes, plugin/theme management, and even database access, but provides no warnings about destructive actions, rollback planning, or confirmation requirements. In this context, omission of safeguards is dangerous because the MCP surface can directly alter a live production WordPress instance.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The reference includes many state-changing and destructive operations—publishing updates, deleting posts/media, replacing content, editing metadata, changing options, and creating users—without warning about permanence, blast radius, or the need for confirmation. In an AI-driven admin context, lack of safety guidance makes accidental destructive actions more likely and can normalize unsafe execution of high-impact requests.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documented plugin/theme write, alter, rename, and delete operations can directly modify executable PHP/JS assets and remove site components, yet the documentation lacks strong user-impact warnings and operational safeguards. In practice, these capabilities can be used to implant backdoors, break site functionality, or cause irreversible loss through accidental or malicious prompts.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The feature reference advertises destructive operations such as delete, alter, option updates, plugin/theme modification, and database writes without any cautionary guidance or usage constraints. In an AI-agent setting, the absence of warnings materially increases the risk of unsafe invocation, accidental data loss, irreversible site damage, or misuse through prompt injection and ambiguous user requests.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
Analytics, social-posting, and AI/image analysis features can involve transmission of site traffic data, account-linked content, media URLs, and possibly personal or business-sensitive information to external systems. Without privacy and data-handling warnings, users and downstream agents may unknowingly expose sensitive data or trigger external publication actions with compliance and reputational consequences.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The reference explicitly exposes a write-capable tool for `robots.txt` with no warning, guardrails, or mention of site-wide SEO and crawlability consequences. In a WordPress admin skill, this is security-relevant because an agent or user could unintentionally block search engines, expose sensitive paths, or alter crawler behavior across the entire site.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation exposes numerous destructive or financially sensitive operations such as product deletion, refunds, stock changes, order status updates, and customer updates without any warning, confirmation, or approval guidance. In an AI-driven admin context, this increases the chance of unsafe execution from ambiguous prompts, prompt injection, or operator error, potentially causing data loss, financial harm, or business disruption.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal