ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WordPress Blog Publisher

v1.0.0

Use this skill whenever the user wants to publish, update, or batch-upload blog content to a WordPress site via the REST API. Triggers include any mention of...

0· 105·0 current·0 all-time
byLeroyCreates@leooooooow

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for leooooooow/wordpress-blog-publisher.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "WordPress Blog Publisher" (leooooooow/wordpress-blog-publisher) from ClawHub.
Skill page: https://clawhub.ai/leooooooow/wordpress-blog-publisher
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install wordpress-blog-publisher

ClawHub CLI

Package manager switcher

npx clawhub@latest install wordpress-blog-publisher
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and REST API endpoints in SKILL.md align with a WordPress publishing skill. However, the SKILL.md expects a Site URL, Username, and Application Password even though the skill metadata declares no required environment variables or primary credential — an inconsistency in how credentials are handled.
!
Instruction Scope
Instructions are primarily limited to WP REST API calls and content handling, which is appropriate. Concerns: it references a helper script (scripts/wp_publish.py) that is not present in the package; it mentions image generation triggers and rewriting inline image sources ('gen:<prompt>' and rewriting to source_url) without specifying what generator or endpoint is used; and it instructs writing permalinks back to upstream systems (Bitable, Airtable, Sheets) without describing how or what credentials are required. These gaps give the agent broad discretion to access and transmit content externally.
Install Mechanism
No install spec and no code files — instruction-only — so the skill will not write or execute new code on disk. This is low install risk. The instruction references a helper script that is absent; if the skill expects that script to exist in the runtime, that expectation is unmet.
!
Credentials
SKILL.md requires per-run credentials (Site URL, Username, Application Password) and implies credentials for upstream systems (Airtable/Sheets/Bitable) and possibly an image generator. The registry metadata lists no required env vars or primary credential. The lack of declared credential requirements and unspecified upstream credentials is disproportionate and unclear — the agent may prompt for or be given sensitive credentials without the skill declaring them explicitly.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not request persistent presence or modification of other skills. No elevated platform privileges are declared.
What to consider before installing
This skill looks designed to publish to WordPress, but several things don't add up. Before installing or using it: (1) confirm how and where you will provide the Site URL, Username, and Application Password — the registry metadata does not declare any required credentials; (2) request the missing helper script (scripts/wp_publish.py) or ask how the agent will perform the described operations when no code is bundled; (3) verify what 'image generation' service (if any) the skill would call and whether that service would receive your post content or other sensitive data; (4) confirm how permalinks are written back to upstream systems (which services, what credentials are needed, and where that data is sent); (5) test on a staging site and limit the agent to drafting mode until you confirm behavior; and (6) avoid supplying high-privilege WP credentials (use an account scoped to publish only what is necessary). These steps will reduce the risk of accidental credential exposure or unexpected external data transmission.

Like a lobster shell, security has layers — review code before you run it.

latestvk972017597nhx21vn5hx5zcfwx84kw6y
105downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
LeroyCreates@leooooooow
latest
Download

WordPress Blog Publisher

This skill turns an AI agent into a reliable publisher for WordPress sites via the REST API (/wp-json/wp/v2/*). Designed for cross-border SEO bloggers.

When to use

  • Batch-publishing SEO articles from any source
  • Updating existing posts (content, SEO title, slug, featured image)
  • Uploading media to the WP library
  • Scheduling future posts
  • Writing permalink back into upstream system (Bitable, Airtable, Sheets)

Prerequisites

  1. Site URL (e.g. https://example.com)
  2. Username
  3. Application Password (WP Admin > Users > Profile > Application Passwords, NOT the login password)

Auth: HTTP Basic with app password.

Core operations

Create a post: POST /wp-json/wp/v2/posts

Upload media: POST /wp-json/wp/v2/media

Update a post: POST /wp-json/wp/v2/posts/<id>

Find by slug: GET /wp-json/wp/v2/posts?slug=my-slug&status=any

Content handling

  • Markdown to HTML conversion (preserve code fences, tables)
  • Strip YAML front-matter, use for title/slug/categories/tags
  • Upload inline images, rewrite src to source_url
  • Image placeholders ![prompt](gen:<prompt>) trigger image generation if configured

Batch mode

  1. Dry-run first post, show draft URL
  2. After confirm, process rest with 1-2s delay
  3. Keep per-post status log, show summary
  4. On failure, log and continue

Helper script: scripts/wp_publish.py

Commands: upload-media, create-post, update-post, find-by-slug, publish-markdown

Common pitfalls

  • 401: wrong password type (need Application Password)
  • 403: missing publish_posts capability
  • Wrong category/tag IDs per site
  • Images > 2MB: resize before upload
  • Timezone: use date_gmt for UTC certainty

After publishing

Write permalink back to upstream system and flip status to published.

Comments

Loading comments...