Skillv1.0.1

ClawScan security

WordPress Blog Automation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 4, 2026, 6:45 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The code matches the stated purpose (publishing to WordPress) and does not request excessive credentials, but there are coherence issues (missing files and doc mismatches) that warrant caution before installing.
Guidance: This package mostly does what it says — it posts article JSON to a WordPress site using Basic auth and writes local logs on failure. Before installing consider: 1) The SKILL.md mentions additional files (formatter.py, scheduler.py) and dependencies that are missing; ask the author for the complete bundle or updated docs. 2) Provide WP credentials only for sites you control or staging instances; app passwords grant post privileges and should be scoped and rotated. 3) The script uses HTTP Basic (base64) headers — ensure you call an HTTPS WP_URL to protect credentials in transit. 4) The tool reads arbitrary article file paths and writes logs/failed HTML locally — avoid pointing it at sensitive directories and review log handling so tokens are not accidentally recorded. 5) If you need scheduling or media upload, verify those features exist in the full package (they are referenced in docs but not implemented in index.py). If the maintainer cannot explain the missing files or supply a complete, reviewed package, treat this skill as incomplete and avoid running it with real credentials.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (WordPress publishing + scheduling) aligns with the included index.py which implements publishing via the WordPress REST API. However the SKILL.md references formatter.py and scheduler.py (and additional dependencies such as markdown2/mistletoe) which are not present in the bundle, and the SKILL.md version (1.0.0) differs from registry metadata (1.0.1). These omissions are unexplained and reduce confidence in the package completeness.
Instruction Scope: noteSKILL.md instructs reading an ARTICLE_JSON path, converting markdown to HTML, uploading images, and scheduling. index.py implements reading a provided article JSON, converting content to HTML, and posting to WordPress; it writes a local failure HTML and appends a log file. The SKILL.md mentions webhooks/cron triggers and image uploads, but index.py has no explicit media upload or scheduler implementation. The code will read arbitrary file paths supplied as --article and write logs/failed HTML to disk — expected for this task but worth noting.
Install Mechanism: okNo install spec — instruction-only plus a single Python file. No downloads or package installs are performed by the skill itself, which minimizes install-time risk.
Credentials: okNo required environment variables are declared. Credentials are accepted as CLI args (WP username and application password), which is proportionate for a WordPress publishing tool. The SKILL.md lists WP-related inputs (WP_URL, WP_USERNAME, WP_APP_TOKEN) consistent with the code. There are no unrelated credentials requested.
Persistence & Privilege: okalways is false and the skill does not request persistent platform privileges. It does not modify other skills or system-wide config; it only writes local logs/failed HTML files as part of its normal operation.