MakeWPFast Benchmark

Security checks across malware telemetry and agentic risk

Overview

This skill coherently wraps a WordPress performance benchmark API and discloses its paid API, credentials, cache, and local site audit behavior.

Install only if you are comfortable using a paid MakeWPFast API key. Local site audits use wp-cli to identify active plugin slugs and may query those slugs against the external API, consuming quota unless cached. Review the local cache, calls log, and API-key storage location if you need tighter operational control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs the agent to run `mwf-bench audit --path /path/to/wp` for local site audits but does not require an explicit user warning or consent that a paid external API will be contacted and that plugin/theme inventory derived from the local WordPress installation may be transmitted off-host. In a site-audit context, that omission can lead to unintended disclosure of environment details and unexpected quota or billing usage.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal