Back to skill

Security audit

Super Wordpress Mcp 0.0.0

Security checks across malware telemetry and agentic risk

Overview

This WordPress automation skill is mostly coherent, but it exposes broad site-admin powers with weak safety guidance and asks users to store powerful bearer tokens in plain project notes.

Install only for WordPress sites you control. Use a least-privilege token if possible, do not commit TOOLS.md with real tokens, rotate the token if exposed, and require manual review before publishing, deleting, changing plugins/themes, running SQL, editing WooCommerce data, changing robots.txt, or posting to social accounts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The manifest description includes unrelated, nonspecific words such as place names and random terms that do not belong to the WordPress/MCP domain. This kind of trigger-like padding is suspicious because it can manipulate routing, discovery, or prompt matching behavior, causing the skill to be invoked in unintended contexts and expanding access to powerful admin capabilities.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises full admin, plugin, theme, and database capabilities but does not warn users that these operations can make destructive changes, expose sensitive data, or compromise a site if misused. Because the skill is explicitly designed for high-privilege WordPress automation, the absence of a clear risk warning increases the chance of unsafe use and overbroad trust.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to store bearer tokens in TOOLS.md and send them in Authorization headers without any warning about secret handling, token scope, or leakage risk. Since these tokens grant access to powerful WordPress MCP operations, accidental exposure through files, logs, prompts, or shared workspaces could enable unauthorized administrative actions across the connected site.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This section documents powerful theme file write, modify, and delete capabilities without any accompanying requirement for user confirmation, path restrictions, or warnings about destructive actions. In an agent context, exposing arbitrary filesystem mutation primitives over themes can enable unauthorized code injection, persistence, or site breakage if the agent acts on ambiguous or malicious prompts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The plugin management section exposes creation, activation, modification, and deletion capabilities with no strong operational safeguards. Because plugins execute code in WordPress, these primitives are especially dangerous: an agent could install or alter executable PHP and activate it, leading to arbitrary code execution, persistence, data theft, or denial of service.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The reference explicitly advertises post creation, update, search-replace, and deletion capabilities without any caution about confirmation, authorization, or irreversible effects. In an agent skill, this can normalize autonomous destructive actions and increase the chance that an LLM uses these tools without sufficient user intent validation, leading to content loss or unauthorized modification.

Missing User Warnings

High
Confidence
97% confidence
Finding
These sections expose highly privileged capabilities: activating plugins/themes, reading and writing source files, installing code, changing options, and executing SQL queries. Without strong safety guidance, the skill encourages use of primitives that can lead to remote code execution, site compromise, privilege abuse, or destructive database modification if an agent is prompted maliciously or acts incorrectly.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill describes social posting and AI-generated media publication workflows without warning about public dissemination, brand risk, copyright/privacy issues, or the need for approval before posting generated or scheduled content. In an autonomous agent context, this increases the likelihood of accidental disclosure, reputational harm, or publication of unreviewed AI-generated material.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The reference exposes a write-capable `mwseo_set_robots_txt` operation with no safety warning, permission caveat, or guidance about the SEO and availability consequences of changing `robots.txt`. In an agent skill context, this is dangerous because an agent could be induced to block crawling, expose unintended directives, or otherwise alter site visibility through a single documented action.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.