ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pinch to Post - Manage WordPress sites through WP Pinch MCP server

v5.5.1

Manage WordPress sites through WP Pinch MCP tools. Part of WP Pinch (wp-pinch.com).

11· 4.7k·20 current·20 all-time
by@nickhamze
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (manage WordPress via WP Pinch MCP server) lines up with requirements: the only declared env var is WP_SITE_URL (a non-secret URL) and the SKILL.md describes using an MCP endpoint that holds the Application Password. No unrelated credentials, binaries, or installs are requested.
Instruction Scope
SKILL.md is instruction-only and directs the agent to use typed MCP tools on the server (54 tool categories). That is expected for broad site management, but it means the agent can trigger many server-side operations (posts, plugins, themes, WooCommerce, governance tasks). This is coherent, but you should confirm the MCP server actually enforces capability checks, audit logging, deny-lists, and role restrictions as claimed.
Install Mechanism
No install spec or code files are included (instruction-only). Nothing is downloaded or written to disk by the skill itself, which minimizes install risk.
Credentials
Only WP_SITE_URL is required and is described as non-secret. The SKILL.md explains authentication is handled by the MCP server (Application Password stored there). No unrelated secrets or multiple credentials are requested.
Persistence & Privilege
always:false and user-invocable:true (normal). The skill does not request persistent system presence or modify other skills. Note: autonomous invocation (model invocation enabled) is the platform default; if you want to limit automated actions, restrict agent policies or require user confirmation for sensitive operations.
Assessment
This skill appears coherent, but take these practical checks before installing: 1) Verify the WP Pinch plugin source (GitHub and wp-pinch.com) and review its code/README to confirm it actually enforces the auth, permission checks, and audit logging claimed. 2) Ensure your MCP server stores the WordPress Application Password (and other secrets) server-side — the skill itself should never contain credentials. 3) Test on a staging site first, because the skill exposes many powerful tools (plugins, themes, WooCommerce, governance tasks). 4) Review configured webhooks (Tide Report) and any external endpoints the MCP server will call. 5) If you are concerned about autonomous actions, restrict the agent’s ability to invoke destructive MCP tools or require manual confirmation for write/delete operations. 6) If anything in the plugin or server configuration contradicts the SKILL.md claims (e.g., credentials being placed in the skill environment), do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk970kdedgxzdqybc49qxe71dyh817g07

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis
EnvWP_SITE_URL

Comments