Back to skill

Security audit

WordPress API Auto Post 文章自动发布API

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed WordPress publishing skill that can create drafts or posts, and its sensitive access matches that purpose.

Install only if you want an agent to create WordPress drafts or posts for your site. Use a dedicated least-privilege WordPress account, keep the .env file out of version control and shared logs, test with draft status first, review content before approving publication, and remove the WordPress PHP snippet if you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to place a WordPress application password in a .env file and then export it into the shell environment, but it does not clearly warn that this credential is sensitive, should never be logged or committed, and may be exposed through shell history, process inspection, CI logs, or inherited subprocess environments. In an agent-skill context, this is more dangerous because automation frameworks commonly capture environment variables, command transcripts, and debugging output, increasing the chance of credential leakage.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.