Maverick Wordpress Mcp
ReviewAudited by ClawScan on May 13, 2026.
Overview
This WordPress connector behaves as advertised but can change your site and uses stored WordPress OAuth tokens, so use it only with sites you intend the agent to manage.
Before installing, make sure you trust the mcporter package and WordPress.com's hosted MCP service, only provide OAuth tokens for sites you want managed, and require clear approval before public publishing, deletion, moderation, or uploads.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to publish, edit, delete, moderate, or upload WordPress.com content if you authorize it.
The skill intentionally exposes mutation authority over WordPress.com content, but the same artifact discloses the impact and instructs confirmation before changes.
Write-capable tools can change public or private WordPress.com content. Confirm clear user intent before creating, editing, publishing, unpublishing, deleting, moderating, or uploading content
Use it only for WordPress sites you want the agent to manage, and require explicit confirmation before any publishing, deletion, moderation, or upload action.
A refresh token in the local vault can allow continued WordPress.com access until it is revoked or rotated.
The wrapper persists OAuth access and refresh tokens into mcporter's local credential vault so mcporter can authenticate WordPress.com MCP calls.
mcp_vault="${HOME}/.mcporter/credentials.json" ... tokens: {access_token: env.mcp_access, refresh_token: env.mcp_refresh, token_type: "Bearer"}Protect the machine and the mcporter credential vault, avoid sharing these environment variables, and revoke the WordPress.com integration if you stop using the skill.
WordPress.com's MCP server instructions may shape how the agent uses the tools during a session.
The skill tells the agent to rely on provider-published MCP instructions and schemas during use, which is expected for a thin pass-through MCP integration but gives remote instructions operational influence.
The live server is the source of truth for what tools exist ... and any per-server instructions the server publishes. Treat this as the authoritative reference for the rest of the session.
Treat server-published instructions as tool documentation, while keeping system rules, user intent, and the skill's write-confirmation guidance higher priority.
Future changes to the mcporter package could affect how the skill runs.
The skill depends on installing the mcporter package by name; the provided install spec does not pin a version.
node | package: mcporter | creates binaries: mcporter
Install mcporter from a trusted registry/source and prefer version pinning or package verification where the platform supports it.
WordPress.com receives the tool requests and content needed to perform the actions you ask for.
Authenticated MCP calls are sent to the declared WordPress.com hosted MCP endpoint over the configured HTTP transport.
"baseUrl": "https://public-api.wordpress.com/wpcom/v2/mcp/v1", "transport": "http", "auth": "oauth"
Use the skill only for intended WordPress.com tasks and review WordPress.com's MCP/privacy documentation if you have data-sharing concerns.