Security audit

Wordpress Auto Publish Clean

Security checks across malware telemetry and agentic risk

Overview

This WordPress publishing skill mostly matches its stated purpose, but it ships under-disclosed diagnostic and test scripts that handle credentials unsafely and can modify or permanently delete WordPress content.

Review carefully before installing. Use only on WordPress sites you own or administer, remove the bundled test/JWT/debug scripts with hardcoded openow.ai credentials, avoid running scripts that use force=true deletion, keep TLS verification enabled, and store WordPress credentials or JWTs only in a secure secret manager or environment variables.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (153)

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The script includes a cleanup routine that permanently deletes WordPress posts via the REST API using force=true. While framed as test cleanup, this exceeds the stated publish-only purpose and introduces destructive remote capability that could remove content if the script is misused, pointed at the wrong site, or run with privileged credentials.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The interactive prompt allows an operator to trigger permanent deletion of remote content after publishing. In an auto-publish skill, bundling destructive cleanup with normal publishing increases the chance of accidental or unauthorized content removal, especially because the same authenticated API client is reused for deletion.

Context-Inappropriate Capability

High

Confidence: 91% confidence
Finding: The demo performs permanent deletion of posts using force=true, which bypasses trash/recovery semantics and can irreversibly destroy content if the wrong IDs are targeted or if the script is run against a real site. In the context of an auto-publishing skill, destructive deletion is not necessary for the core purpose, making this capability disproportionately risky.

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: The skill is described as automatically publishing Markdown articles, but this file includes broad taxonomy administration and destructive cleanup behavior, including deletion of categories, tags, and demo posts. In an agent context, over-scoped capabilities increase the blast radius of mistakes or prompt-driven misuse, allowing unintended modification of a WordPress site beyond simple publishing.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The file exposes category update and delete operations even though the stated skill purpose is article publishing. Unnecessary destructive APIs are dangerous in automation because a prompt error, logic bug, or hostile input could cause loss or alteration of site taxonomy without the user intending administrative changes.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The demonstration routine creates and forcibly deletes posts, which is unrelated to routine taxonomy management for publishing Markdown articles. Demo code that performs real side effects against production APIs can create, alter, or destroy content if accidentally executed in a live environment.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The diagnostic helper goes beyond connectivity checking and performs authenticated state-changing actions by creating and then force-deleting a WordPress post. Even if intended as a harmless test, this exceeds the skill's stated publishing/diagnostic purpose and can cause unintended content changes, audit noise, side effects from hooks/plugins, or destructive deletion behavior on a live site.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script explicitly disables TLS certificate validation via rejectUnauthorized: false, which makes HTTPS connections vulnerable to man-in-the-middle interception and tampering. In this script, that is especially dangerous because it is used while probing authentication endpoints and submitting WordPress credentials, so an attacker on the network could steal credentials or inject responses.

Description-Behavior Mismatch

High

Confidence: 92% confidence
Finding: The diagnostic script performs authenticated state-changing operations against a remote WordPress site by creating and then force-deleting a post. Even though intended as a connectivity test, this exceeds a read-only diagnosis role and can cause unintended content changes, audit noise, or destructive side effects on a production site without explicit operator confirmation.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script performs broad reconnaissance against a WordPress instance, including enumerating authentication endpoints, user/media/settings-related APIs, and capability checks that exceed the stated purpose of automatically publishing Markdown articles. While framed as diagnostics, this materially increases information gathering against the target site and could aid misuse or unauthorized environment profiling if run against third-party systems.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code explicitly probes administrative and site-management endpoints like plugins, themes, and settings, which are unrelated to publishing blog posts. Even without exploiting anything directly, these checks can reveal privileged surface area and configuration details useful for follow-on attacks or unnecessary privilege discovery.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The file’s behavior materially exceeds the advertised purpose of automatically publishing Markdown articles. It performs authentication probing, reads user identity data, updates content, and permanently deletes posts, which expands the operational and security scope beyond what a user would reasonably expect from this skill.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script iterates through multiple authentication approaches, including modified-password and manual Authorization-header variants, to discover a working credential path. That is not necessary for normal article publishing and creates credential-testing behavior that could be abused or violate user expectations.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script can permanently delete posts using force=true, which is a destructive capability unrelated to the skill’s stated publishing function. If pointed at a real site with valid credentials, this enables irreversible content loss and increases the blast radius of accidental or unauthorized execution.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The script is described as an auto-publish test, but it also exercises update and permanent deletion operations against WordPress posts. In a credentialed automation context, expanding scope beyond publish/create increases the blast radius of misuse or operator error, because the same script can modify or irreversibly delete content if pointed at the wrong site or run with elevated credentials.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script hardcodes three candidate WordPress passwords and iterates through them to obtain access, which is credential stuffing/brute-force behavior rather than normal publishing logic. In the context of a publishing skill, this enables unauthorized account access attempts and active misuse of a remote WordPress instance.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: This file is not implementing Markdown-to-WordPress publishing; it is primarily a credential trial script that probes multiple secrets until one succeeds. That mismatch is dangerous because it disguises unauthorized authentication attempts as a legitimate automation feature, increasing the likelihood of covert misuse.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: This script enumerates a broad set of authentication-related endpoints, including JWT, OAuth, admin-ajax, and custom API paths, which goes beyond the stated purpose of publishing Markdown to WordPress. In the context of an agent skill, this expands attack surface and enables reconnaissance against remote auth infrastructure, which could be repurposed for unauthorized access attempts.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The code does not merely discover endpoints; it actively sends authentication requests with username/password pairs to candidate endpoints and treats token acquisition as success. That behavior crosses from configuration assistance into credential submission and token harvesting, which is highly sensitive and dangerous if pointed at the wrong host or used without informed consent.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: TLS certificate validation is explicitly disabled via rejectUnauthorized: false, allowing man-in-the-middle interception or modification of responses during endpoint probing and credential submission. Because the same client is later used for auth-related POST requests, an attacker on the network could capture credentials or return forged endpoint responses.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The script includes a cleanup routine that permanently deletes a WordPress post using `force=true`, which exceeds the stated skill purpose of publishing Markdown articles. In an automation context, destructive actions against production content can cause irreversible data loss if test IDs are wrong, credentials point to a live site, or the script is reused without careful review.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The script goes beyond simple article publishing and implements credential acquisition, token validation, endpoint probing, role inspection, and token persistence. In a skill whose stated purpose is auto-publishing Markdown to WordPress, this broader auth-management capability increases exposure of sensitive credentials and reusable bearer tokens and creates functionality that could be repurposed for unauthorized access if misused.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The code writes a full reusable JWT and associated user metadata to a local JSON file, creating a plaintext credential artifact on disk. If the host is multi-user, backed up, synced, logged, or later compromised, the token can be replayed to access the WordPress API with the user's privileges until expiry.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The demo performs permanent deletion of posts and media as part of cleanup using force=true, which is a destructive capability not disclosed by the skill description. Hidden destructive behavior is dangerous because a user may run the script expecting publication automation and instead irreversibly delete WordPress content under the authenticated account.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The code fetches arbitrary remote URLs provided as image sources and then uploads the retrieved content to WordPress. This creates an SSRF-style network access primitive and untrusted content ingestion path, allowing internal or unexpected network resources to be contacted if an attacker can influence the URL input.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal