WordPress API Auto Post 文章自动发布API
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: wp-auto-post-api Version: 2.1.1 The skill is a legitimate tool for publishing SEO-optimized articles to WordPress via the REST API. It uses standard Python libraries (urllib) for network requests and follows WordPress security practices by utilizing Application Passwords and enforcing capability checks (edit_posts) in the provided PHP configuration snippet. The AI instructions in SKILL.md include a mandatory 'Approval Gate' requiring user confirmation before publishing, and the script (publish_wp_article.py) contains no evidence of data exfiltration, obfuscation, or unauthorized execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured with a powerful WordPress account, the agent may be able to create or publish content on the site using that account's permissions.
The skill openly requires a WordPress application password with posting authority. This is purpose-aligned, but it gives the agent delegated ability to create posts and manage tags as that WordPress user.
credentials:\n - type: wordpress_app_password\n description: WordPress Application Password with edit_posts capability. Grants REST API access to create posts and manage tags as the configured user.
Use a dedicated least-privileged WordPress user, keep the application password secret, require draft-first testing, and revoke the password when no longer needed.
Approved runs can add draft or published posts to the configured WordPress site and may create new tags.
The script performs authenticated POST requests to create WordPress posts. This is the skill's stated purpose, but it is a real mutation of a third-party site.
api_url = f"{site_url}/wp-json/wp/v2/posts"\n...\nresult = make_api_request(api_url, auth_b64, method="POST", data=post_data)Confirm the site URL, title, slug, status, tags, and article body before approving; use draft mode unless you intentionally want immediate publication.
Installing the snippet exposes the listed RankMath meta fields through the WordPress REST API for users allowed to edit posts.
The setup file is a PHP snippet intended to be added to WordPress so RankMath metadata can be set through the REST API. It is visible, scoped to three meta keys, and purpose-aligned, but it changes site behavior persistently.
add_action('init', function () {\n ...\n register_meta('post', $key, [\n 'show_in_rest' => true,Add the snippet only if you understand the change, prefer a child theme or Code Snippets plugin, and remove it if you uninstall the skill.
Article titles, URLs, focus keywords, tags, and status may remain in a local log after publishing.
The workflow stores publication results in a persistent memory log. The artifact scopes the log's purpose and warns other skills not to use it as input.
将发布成功的结果与 URL 追加写入 `memory/wp-articles-log.md`。此日志仅用于本 Skill 的防重复检查和发布审计,不应被其他 Skill 用作数据输入源。
Keep the log free of secrets, periodically review it, and avoid letting unrelated skills treat it as authoritative instructions or source content.