Jrb Remote Site Api Skill Repo
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent WordPress admin integration, but it gives an agent broad site-changing and credential-backed authority without clear scoped guardrails.
Install only if you intend the agent to administer WordPress sites. Use least-privilege per-site tokens, keep credentials out of broad context files, and require explicit confirmation before publishing, deleting, installing, updating, switching themes, or touching CRM/support customer data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overbroad agent action could publish or delete site content, alter the live site, or change installed WordPress components.
The skill tells the agent it can perform broad, destructive, and public site-changing REST operations, but the artifacts do not define confirmation, scoping, rollback, or safer constrained workflows.
Posts & Pages: Create, read, update, delete... Plugins: List, install, activate, deactivate, update, and delete. Themes: ... switch themes, install from URL.
Use only with explicit user approval for each mutation, restrict the API token to the minimum needed permissions, and require backups or rollback plans before deletes, installs, updates, or publishing.
If the agent uses the wrong token, overbroad token, or wrong site mapping, it could make admin-level changes to one or more WordPress sites.
The skill expects locally stored tokens for one or more WordPress sites; these credentials enable high-privilege admin actions, and the registry metadata declares no primary credential or required environment variables.
Ensure your agent's `TOOLS.md` or `.credentials/` contains the endpoint and token for the site(s) you wish to manage.
Declare the credential requirement clearly, use separate least-privilege tokens per site, avoid placing tokens in broad context files, and rotate/revoke tokens if misuse is suspected.
A bad URL or compromised package could install malicious or broken code on the WordPress site.
Installing a WordPress theme from an arbitrary URL can introduce untrusted executable site code, and the artifacts do not specify allowed sources, verification, or approval requirements.
Themes: List active/available themes, switch themes, install from URL.
Allow installs only from trusted repositories or reviewed packages, verify source and integrity before installation, and require explicit human confirmation.
The agent may retrieve or modify business/customer data from the selected site, so incorrect site selection or prompt wording could expose data to the wrong task context.
The skill is intentionally a remote API integration and may move CRM, support-ticket, and customer data between the agent and configured WordPress sites.
route the request to the correct `jrbremoteapi/v1` endpoint using the `X-JRB-Token` header
Confirm the target site before requests involving customer data and keep tokens and API responses out of shared or unnecessary context.