youmind-wordpress-article

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly transparent about publishing to WordPress, but it exposes broader site-admin actions than an article-writing skill needs.

Install only if you are comfortable giving this skill a YouMind API key connected to a WordPress account that can change your site. Prefer a limited WordPress role, use draft mode by default, review before using --publish, and avoid invoking delete, category-admin, or comment-admin commands unless you explicitly intend those site changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The documented API surface includes delete, unpublish, and broad post-management actions that exceed the skill's advertised purpose of writing and publishing articles. Expanding capability beyond the declared scope increases the chance an agent or downstream workflow invokes destructive operations on existing content, creating unnecessary risk and violating least-privilege expectations.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Permanent deletion (`force=true`) is especially risky because it allows irreversible destruction of WordPress posts despite the skill being framed as an article-writing/publishing tool. If an agent misinterprets a request, is prompt-injected, or is misused, this capability can cause unrecoverable content loss on the user's site.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The CLI imports and exposes a wide set of WordPress administrative functions—post deletion/unpublishing, category management, comment moderation, media upload, and site querying—that materially exceed the declared skill purpose of writing and publishing articles. In an agent setting, this overbroad capability increases blast radius: a prompt or tool-selection mistake could cause unauthorized site changes or destructive actions unrelated to article publishing.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: Category creation, update, and deletion are site-taxonomy administration features, not necessary for basic end-to-end article publishing as described in the skill metadata. Exposing these controls through the same skill enables unintended content-structure changes across the site if the agent is misprompted or compromised.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: Comment listing, creation, editing, and deletion are unrelated to the stated article-publishing purpose and give the skill moderation and impersonation-like powers over user-generated content. If triggered unintentionally, these functions could leak comment data, alter moderation state, post unauthorized comments, or delete community content.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The README encourages activation from very broad natural-language requests such as "write a post about XX," which can cause the skill to trigger on ambiguous user intent and proceed into a workflow that researches and prepares content for publication. In a skill with external side effects against a connected WordPress site, overly broad triggers increase the chance of unintended execution and can cascade into draft creation or live publication if combined with permissive defaults or agent autonomy.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README advertises immediate live publishing via `--publish` and says it can "go live immediately" without clearly emphasizing that this is a system-impacting action affecting a production website. For a skill that can modify externally hosted content, lack of an explicit warning and confirmation requirement creates a real risk of accidental public posting, reputational damage, and unintended site changes.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The README shows `--publish` as a normal usage path but does not prominently warn that it will perform a real write operation against the user's already-connected WordPress site. In an agent skill context, this increases the risk of unintended remote content modification because users may treat the command as a preview-like action rather than a destructive external side effect.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill prominently advertises one-click publishing, image upload, and local draft creation, but the initial description does not foreground that it will write local files and can modify external WordPress data. This increases the chance of unintended actions because users may perceive it as a drafting assistant rather than a tool with direct side effects on local storage and a live site.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The delete operation is documented without any requirement for explicit confirmation or user-facing warning, which is unsafe for an agentic tool that may act on natural-language instructions. Without confirmation guidance, accidental or induced invocation could move posts to trash or permanently delete them before the user understands the consequence.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The pipeline explicitly routes article content, metadata, and publication actions through YouMind services and a YouMind WordPress proxy, but it does not clearly warn the user that their draft content and linked-site operations are being transmitted to a third-party service. This creates a real privacy and data-governance risk, especially if users assume publishing occurs directly to WordPress or are unaware that connector-stored credentials and post data pass through YouMind infrastructure.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The upload helper reads arbitrary local files from a supplied path and transmits their contents to a remote API as base64. In an agent setting, this can exfiltrate sensitive local data if a prompt, tool chain, or compromised caller provides an unintended path, and there is no visible restriction, disclosure, or consent check in this layer.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal