Maverick Wordpress Mcp
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: maverick-wordpress-mcp Version: 1.0.2 The skill is a legitimate Model Context Protocol (MCP) integration for WordPress.com. It uses a wrapper script (scripts/invoke.sh) and a vault seeder (scripts/init-mcporter.sh) to manage OAuth credentials provided via environment variables. The credential handling follows security best practices, such as using flock for concurrency, avoiding secrets in process arguments via jq environment variables, and storing tokens in a standard local directory (~/.mcporter/). All network activity is directed to the official WordPress.com API endpoint (public-api.wordpress.com).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to publish, edit, delete, moderate, or upload WordPress.com content if you authorize it.
The skill intentionally exposes mutation authority over WordPress.com content, but the same artifact discloses the impact and instructs confirmation before changes.
Write-capable tools can change public or private WordPress.com content. Confirm clear user intent before creating, editing, publishing, unpublishing, deleting, moderating, or uploading content
Use it only for WordPress sites you want the agent to manage, and require explicit confirmation before any publishing, deletion, moderation, or upload action.
A refresh token in the local vault can allow continued WordPress.com access until it is revoked or rotated.
The wrapper persists OAuth access and refresh tokens into mcporter's local credential vault so mcporter can authenticate WordPress.com MCP calls.
mcp_vault="${HOME}/.mcporter/credentials.json" ... tokens: {access_token: env.mcp_access, refresh_token: env.mcp_refresh, token_type: "Bearer"}Protect the machine and the mcporter credential vault, avoid sharing these environment variables, and revoke the WordPress.com integration if you stop using the skill.
WordPress.com's MCP server instructions may shape how the agent uses the tools during a session.
The skill tells the agent to rely on provider-published MCP instructions and schemas during use, which is expected for a thin pass-through MCP integration but gives remote instructions operational influence.
The live server is the source of truth for what tools exist ... and any per-server instructions the server publishes. Treat this as the authoritative reference for the rest of the session.
Treat server-published instructions as tool documentation, while keeping system rules, user intent, and the skill's write-confirmation guidance higher priority.
Future changes to the mcporter package could affect how the skill runs.
The skill depends on installing the mcporter package by name; the provided install spec does not pin a version.
node | package: mcporter | creates binaries: mcporter
Install mcporter from a trusted registry/source and prefer version pinning or package verification where the platform supports it.
WordPress.com receives the tool requests and content needed to perform the actions you ask for.
Authenticated MCP calls are sent to the declared WordPress.com hosted MCP endpoint over the configured HTTP transport.
"baseUrl": "https://public-api.wordpress.com/wpcom/v2/mcp/v1", "transport": "http", "auth": "oauth"
Use the skill only for intended WordPress.com tasks and review WordPress.com's MCP/privacy documentation if you have data-sharing concerns.