ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WordPress Optimizer

v1.0.0

Optimize and tune WordPress sites for performance and security with automated analysis and configuration management.

0· 96·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the actions described in SKILL.md (site optimization and tuning). Requesting admin username/password or a site token is coherent with an optimization service that must make changes on a WordPress site.
!
Instruction Scope
The SKILL.md describes API endpoints that will require the user's WordPress admin credentials or tokens. It implicitly instructs the agent to submit those secrets to a remote service (references to api.mkkpro.com and portal/toolweb.in), but it does not state where credentials are stored, how they're transmitted/retained, or provide an explicit, trusted base URL in the OpenAPI servers field. There are no instructions to limit the scope of the credentials (e.g., use a temporary admin or scoped token) or to run on a staging site first.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This minimizes local install risk.
!
Credentials
No environment variables or binaries are required by the skill metadata, but runtime usage requires users to provide sensitive credentials (admin username/password or tokens) to the service. The skill does not declare or document any primary credential handling, storage, or retention policy, and the provider is not identified in registry metadata, which is disproportionate from a provenance/transparency perspective.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system privileges. Autonomous invocation is allowed by default but that is normal; there is no evidence the skill modifies other skills or system settings.
What to consider before installing
This skill appears to be a front-end for an external optimization API that will require you to submit WordPress admin credentials or tokens. Before installing or using it: (1) verify the provider identity and reputation (owner is unknown in registry metadata and no homepage is set), (2) inspect the provider's privacy/security policy and ask how credentials are transmitted, stored, and for how long, (3) prefer issuing a scoped token or temporary admin account limited to a staging site rather than your production admin password, (4) review the API docs and confirm TLS endpoints and a canonical base URL (openapi.json lacks a servers field), and (5) request source code or a self-hosted alternative if you must send sensitive credentials. If you cannot verify the provider and credential handling, treat this as high risk and avoid sending production admin credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk979faptck2jf1qn2er04e3hdh83ebwn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments