Wordpress Article Publisher.Skill

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This WordPress publishing skill is purpose-adjacent but needs review because it can delete live posts and send site credentials without strong guardrails.

Review this before installing. Use only a dedicated low-privilege WordPress account, require an HTTPS site URL, and avoid granting delete permissions unless you explicitly want deletion support. Treat the application password as a secret and revoke it after use or if anything looks wrong.

SkillSpector (9)

By NVIDIA

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill’s documented behavior exceeds its declared scope by introducing modification of existing posts via deletion and republishing. This matters because destructive content operations are materially different from simple article creation, and users or calling systems may not realize the skill can remove existing content.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill is described as a WordPress article publishing assistant, but this script adds destructive delete capability against live posts. In an agent context, hidden or undocumented destructive actions materially expand the permission and abuse surface: a user or prompt injection that reaches this script could delete content on the configured WordPress site instead of only publishing new articles.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The file header explicitly states this is an article deletion script, which contradicts the declared publish-assistant purpose of the skill. This mismatch is dangerous because it conceals destructive capability inside a seemingly benign publishing tool, increasing the chance that operators grant credentials or invoke actions they would not have approved if the capability were clearly disclosed.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger phrase '发布文章' is overly broad for a skill that can publish directly to a live WordPress site. Broad activation language increases the chance of accidental invocation during ordinary conversation, which is more dangerous here because the skill performs external side effects using user-supplied credentials.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The documented modification flow deletes the original post and republishes it, but provides no warning, preview, backup, or confirmation step. This is dangerous because it can irreversibly remove or replace production content, potentially breaking links, metadata continuity, editorial history, and user trust.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The authentication section instructs use of Basic Authentication with a username and application password but gives no warning that these credentials are sensitive secrets that must only be sent over HTTPS and never logged or persisted. In a credential-handling skill, omission of that guidance increases the chance of accidental exposure through insecure transport, transcripts, debug logs, or copied examples.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The guide explicitly tells users to hand their WordPress username and application password to the assistant, which normalizes credential sharing without clearly warning that these secrets grant API access to the user's site. In the context of a publishing skill, this is materially risky because the credential can be abused to create, edit, or potentially delete content depending on account permissions, and users may over-trust the assistant.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script issues an HTTP DELETE to the WordPress posts endpoint immediately after receiving parameters, with no interactive confirmation, dry-run mode, or guardrails around the target post. In an automated agent workflow, this makes accidental deletion, prompt-induced misuse, or misuse of supplied credentials much more likely, and deletion may be operationally irreversible even if WordPress marks the post deleted first.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script sends the WordPress username/app password and article content to whatever URL is supplied in $SiteUrl, but it does not enforce HTTPS, validate the destination, or warn the user that sensitive data will be transmitted over the network. If a user supplies an HTTP endpoint or a hostile/intercepted URL, credentials and content can be exposed to eavesdropping or sent to an attacker-controlled server.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal