ClawHub

WordPress Publisher Skill

v0.1.0

Publish content directly to WordPress sites via REST API with full Gutenberg block support. Create and publish posts/pages, auto-load and select categories from website, generate SEO-optimized tags, preview articles before publishing, and generate Gutenberg blocks for tables, images, lists, and rich formatting. Use when user wants to publish to WordPress, post to blog, create WordPress article, update WordPress post, or convert markdown to Gutenberg blocks.

10· 3.8k·15 current·15 all-time
byAsif@asif2bd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, SKILL.md, README, and included scripts all align: the skill talks to a WordPress site and converts content to Gutenberg blocks and publishes it. That capability reasonably requires HTTP access and the ability to accept a site URL + application password. However there are small inconsistencies: the package metadata/owner fields look odd (owner shown as 'Suspended suspended' while README and marketplace point to different GitHub links) and the repository includes runnable Python code but the skill metadata declares no runtime/install steps — a mismatch the user should be aware of.
Instruction Scope
SKILL.md is focused on the stated task: it instructs the agent to ask the user for site URL, username and application password, to load categories, generate tags, convert content, preview, and publish. It does not instruct the agent to read unrelated host files, environment variables, or exfiltrate secrets to third-party endpoints. The only notable behavior is that the converter intentionally preserves some HTML (allowed by design), which could include user-supplied HTML.
!
Install Mechanism
There is no install spec for the skill even though the bundle includes Python scripts and a requirements.txt declaring 'requests'. The README instructs manual 'pip install requests', but the platform may not automatically install dependencies. This mismatch (no declared runtime/install but non-trivial code present) is an operational/consistency risk: if run in an environment without dependencies, behavior may fail or the skill may attempt to run unexpected fallback logic. From a security perspective, there's no remote-download install step in the skill bundle itself — all source files are present — but you should verify how your agent runtime executes included Python code and which packages are actually available.
Credentials
The skill does not declare or require any environment variables or platform credentials; instead it expects the user to provide the WordPress site URL, username, and an application password when connecting. Those are proportionate and expected for a WordPress REST API publisher. Development docs mention a .env for testing, but that's for local tests only. No unrelated cloud credentials or system tokens are requested.
Persistence & Privilege
The skill is not marked 'always:true' and does not request system-wide configuration changes in the repository files. It contains CLI-style scripts and test files but does not request persistent privileges. Autonomous invocation is allowed by default (disable-model-invocation=false) which is normal for skills; combine that with credential use only if you are comfortable with autonomous publishing.
What to consider before installing
What to check before installing or using this skill: - Verify the source and maintainer: the package metadata shows inconsistent author/homepage data (an account named 'Suspended suspended' and multiple GitHub links). Prefer skills from trusted, well-maintained repositories. If possible, install from the original GitHub repo and confirm its history and issues. - Inspect scripts/wp_publisher.py before handing over credentials: confirm network targets are only the provided site_url and no hard-coded external telemetry or unknown endpoints are contacted. The bundle includes the Python code locally, so review it or run it in a sandbox/staging environment first. - Use least-privilege credentials: create a WordPress Application Password with the minimal role needed (prefer Editor over Administrator where possible) and test on a non-production/staging site first. Do not give your main admin password—the SKILL.md already recommends application passwords. - Validate dependency handling: the repo expects 'requests' but the skill metadata has no install step. Ensure the runtime will install or already provides dependencies; otherwise run the scripts locally in a virtualenv to confirm behavior. - Be aware of HTML passthrough: the converter intentionally preserves some HTML. If you will publish user-provided or untrusted content, review/sanitize it to avoid injecting unwanted HTML or scripts into your site. - Run tests locally (pytest) or inspect tests in this bundle to gain confidence in behavior. If you cannot inspect the code, do not provide credentials to the skill and instead run the included scripts yourself on a controlled machine. If you want, I can scan the full scripts/wp_publisher.py file for network endpoints, data flows, or any code paths that might exfiltrate data, and call out specific lines to review.

Like a lobster shell, security has layers — review code before you run it.

latestvk978w6hf2bvwcd94c3pew5qgj580c3pz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments