Pinch to Post - Manage WordPress sites through WP Pinch MCP server
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected with a privileged WordPress account, the agent may be able to alter public site content, users, comments, settings, plugins, themes, or WooCommerce data.
The skill exposes broad WordPress administration and business-site capabilities through MCP tools. This is aligned with the stated purpose, but the provided artifact does not show clear user-confirmation, rollback, or scope limits for high-impact mutations.
54 MCP tools across 12 categories — content, media, taxonomies, users, comments, settings, plugins, themes, analytics, governance, WooCommerce, and more.
Use a dedicated least-privilege WordPress account, test on a staging site first, and require explicit confirmation for publishing, deleting, user/admin, plugin/theme, settings, and WooCommerce actions.
The agent can act with whatever WordPress permissions are attached to the configured Application Password.
The WordPress credential is expected for this integration and is not stored in the skill, but it still grants delegated account authority through the MCP server.
Configure your MCP server with the endpoint `{WP_SITE_URL}/wp-json/wp-pinch/v1/mcp` and a WordPress Application Password. These credentials live in your MCP server config (not in the skill)Create a dedicated WordPress user and Application Password with the minimum role needed, monitor audit logs, and revoke the credential when no longer needed.
Installing the plugin gives third-party code a role in handling WordPress site actions and MCP requests.
The skill is instruction-only and depends on an external WordPress plugin that is not included in the supplied artifacts. This is normal for the integration, but the external code must be trusted separately.
Install the WP Pinch plugin on your WordPress site from GitHub or wp-pinch.com.
Install only from the official project source, verify the version, review plugin permissions, and keep the plugin updated.
Background tasks may keep scanning, reporting, or otherwise acting on site content outside the immediate chat session.
The artifact advertises persistent daily automation and webhook reporting, but the supplied text does not show clear controls for opt-in, disabling, task scope, or webhook destination.
Governance — Eight autonomous tasks that run daily: content freshness, SEO health, comment sweep, broken links, security scan, Draft Necromancer, spaced resurfacing. Everything rolls up into a single Tide Report webhook.
Confirm whether governance tasks are disabled by default, configure exactly which tasks run, verify webhook destinations, and disable any automation you do not need.
Misconfigured webhooks could send sensitive site or store event data to an unintended endpoint.
Webhook flows are disclosed and relevant to the product, but they may carry site, user, comment, or store-event data outside WordPress depending on configuration.
Webhook integration for post, comment, user, and WooCommerce events
Use trusted HTTPS webhook endpoints, minimize payloads where possible, and avoid sending user or WooCommerce data to services you do not control.
Private drafts or writing-style information may be used to generate new content through the connected tools.
The skill may analyze drafts and writing style as context for content generation. This is purpose-aligned, but drafts and author voice can be sensitive or private.
Ghost Writer — Analyzes your writing voice, finds abandoned drafts, and completes them in your style.
Review which posts and drafts the connected WordPress account can access, and avoid granting access to private content that should not be used for generation.