Back to skill
Skillv1.0.0
VirusTotal security
WordPress Remote News Publisher · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:02 AM
- Hash
- 02ed1629ddb6f1d3fb03f73b70f4b3411df58badea6694d943405670ddbbc4f8
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wordpress-remote-news-publisher Version: 1.0.0 The skill is classified as suspicious due to several security vulnerabilities, primarily the use of `StrictHostKeyChecking=no` in all SSH and SCP commands across `SKILL.md`, `publish_wp_remote.sh`, and `upload_media_remote.sh`, which disables host key verification and exposes the connection to Man-in-the-Middle attacks. Additionally, the `publish_wp_remote.sh` script uses `file://` paths for post content in remote WP-CLI commands, which could be exploited for Local File Inclusion or Remote Code Execution if the AI agent's generated content (saved to `/tmp/wp_article.json`) were maliciously manipulated. While the skill's stated purpose is legitimate, these flaws present significant attack surfaces without clear evidence of intentional malicious exploitation by the author.
- External report
- View on VirusTotal