Security Audit
Automattic/agent-skills:skills/wp-project-triage
github.com/Automattic/agent-skillsTrust Assessment
Automattic/agent-skills:skills/wp-project-triage received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Potential Credential Leak via wp-config.php.
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, dependency_graph, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 8, 2026 (commit 48d4aa21). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Potential Credential Leak via wp-config.php The function `detectConfigConstants` searches for and reads `wp-config.php`, which typically contains sensitive database credentials (DB_PASSWORD) and authentication keys (AUTH_KEY). The code snippet shows the file being read into memory, but due to truncation, it is not confirmed if secrets are redacted before being included in the JSON output. If the tool outputs these constants to the LLM, it results in a credential leak. Ensure `detectConfigConstants` implements a strict allowlist for constants (e.g., `WP_DEBUG`, `WPLANG`) or explicitly redacts values for keys containing `PASSWORD`, `KEY`, `SECRET`, or `SALT`. | Unknown | scripts/detect_wp_project.mjs:198 |
Scan History
Embed Code
[](https://skillshield.io/report/d28d565bbb663261)
Powered by SkillShield