Jrb Remote Site Api Skill Repo
v1.0.0Interface with WordPress sites via jrb-remote-site-api plugin for admin tasks, content CRUD, plugin/theme management, and Fluent suite integrations through R...
⭐ 0· 333·0 current·0 all-time
byJoel@jrbconsulting-joel
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims WordPress admin and Fluent-suite integration via the jrb-remote-site-api plugin, which coherently requires a site URL and API token; however the published registry metadata lists no required environment variables or primary credential even though SKILL.md explicitly requires JRB_API_URL and JRB_API_TOKEN. This mismatch between declared metadata and actual runtime needs is unexpected.
Instruction Scope
SKILL.md contains concrete curl examples using JRB_API_URL and JRB_API_TOKEN and describes admin actions (content CRUD, plugin/theme management, media uploads). The README further suggests storing/looking up multiple site credentials in a .credentials/jrb-sites.json mapping and says the agent will 'look up' credentials — implying the agent may read local credential files/config that are not declared in the skill metadata. The instructions do not direct data to unexpected external endpoints, but they do imply filesystem access to agent credential storage without declaring or documenting that access.
Install Mechanism
This is an instruction-only skill (no install spec or code files). README points to the official plugin and GitHub repo and suggests 'clawhub install jrb-remote-site-api', but there is no bundled install that would place code on disk. Because nothing is downloaded or executed by the skill itself, install risk is low — however the guidance about using clawhub and the external plugin should be validated by the user (confirm plugin source and version).
Credentials
The runtime instructions legitimately require two secrets (JRB_API_URL and JRB_API_TOKEN). The skill metadata, however, declares no required env vars or primary credential. README also recommends storing multiple tokens in a .credentials file, which increases the places secrets may live. The absence of declared credential requirements in the registry is a proportionality/documentation mismatch and raises the risk of unexpected credential access by the agent.
Persistence & Privilege
The skill does not request always:true, does not include an install that writes persistent binaries, and does not claim to modify other skills or system-wide settings. Agent autonomous invocation is enabled by default but not unusual; nothing in the skill requests elevated persistent privileges.
Scan Findings in Context
[no-code-files-or-regex-findings] expected: The repository is instruction-only (SKILL.md, README, package.json) so the regex-based scanner had no code to analyze. This is expected for an instruction-only skill, but it means there is no programmatic surface to inspect for hidden behavior — rely on the SKILL.md/README review instead.
What to consider before installing
This skill appears to be what it says (a wrapper for the JRB Remote Site API), but the published metadata does not declare the environment variables or credential file the SKILL.md and README say are required. Before installing: 1) Confirm the skill's publisher and the plugin sources (WordPress plugin page / GitHub) are legitimate. 2) Do not place site tokens in broadly accessible/shared config files; prefer per-site, least-privilege tokens and limit their scope. 3) Update your agent config to explicitly provide JRB_API_URL and JRB_API_TOKEN and verify the agent will only read intended credential files (inspect agent/tooling behavior). 4) If you need stronger assurance, ask the publisher for a clear install manifest and for the skill metadata to list required env vars and any config paths it will read. 5) Monitor actions taken by the agent (audit logs) when first using the skill. These steps reduce the risk that the agent will access or transmit credentials unexpectedly.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
JRB Remote Site API Skill
Interface with WordPress sites running the jrb-remote-site-api plugin. This skill enables AI agents to perform administrative tasks, content management, and integration with the Fluent suite (CRM, Forms, Support, etc.) via a secure REST API.
Configuration
Required environment variables for targeting a site:
JRB_API_URL: The base URL of the site (e.g.,https://jrbconsulting.au)JRB_API_TOKEN: The secure API token configured in the plugin settings
Core Capabilities
1. System & Auth
- Ping: Verify connection and token validity.
- Site Info: Get WordPress version, active theme, plugin version, and capabilities.
2. Content Management (CRUD)
- Posts & Pages: Create, read, update, delete, and list. Supports custom statuses (draft, publish, private).
- Media: Upload and manage files in the WordPress Media Library.
3. Plugin & Theme Management
- Plugins: List, install, activate, deactivate, update, and delete.
- Themes: List active/available themes, switch themes, install from URL.
4. Fluent Suite Integration (Modules)
- FluentCRM: Manage contacts, lists, tags, and campaigns.
- FluentSupport: Professional ticket management and customer support.
- FluentProject: Task and project management automation.
- FluentBoards: Advanced board and task management.
Usage Patterns
Verification
curl -H "X-JRB-Token: \$JRB_API_TOKEN" "\$JRB_API_URL/wp-json/jrb-remote/v1/site"
Create a Page
curl -X POST -H "X-JRB-Token: \$JRB_API_TOKEN" \\
-H "Content-Type: application/json" \\
-d '{"title": "New Page", "content": "Hello World", "status": "publish"}' \\
"\$JRB_API_URL/wp-json/jrb-remote/v1/pages"
Installation
This skill is designed to work with the JRB Remote Site API WordPress plugin.
To install:
clawhub install jrb-remote-site-api
Files
3 totalSelect a file
Select a file to preview.
Comments
Loading comments…