Security Audit
Automattic/agent-skills:skills/wp-wpcli-and-ops
github.com/Automattic/agent-skillsTrust Assessment
Automattic/agent-skills:skills/wp-wpcli-and-ops received a trust score of 79/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 1 medium, and 1 low severity. Key findings include Skill grants access to highly destructive WP-CLI commands, User-controlled arguments passed directly to `wp` command, `--allow-root` flag can be passed to WP-CLI.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on April 1, 2026 (commit 48d4aa21). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Skill grants access to highly destructive WP-CLI commands The skill, as described in `SKILL.md`, instructs the agent to use WP-CLI for operations including database export (`wp db export`), search-replace (`wp search-replace`), and plugin/theme management (`wp plugin *`, `wp theme *`). These commands are inherently powerful and can be destructive (e.g., modifying database, deleting plugins) or lead to data exfiltration (e.g., exporting entire database) if executed on a sensitive environment without proper authorization or if manipulated by a malicious prompt. While the `wpcli_inspect.mjs` script itself only runs read-only commands, the overall skill enables these dangerous operations. Implement strict access controls and human-in-the-loop approvals for any write operations or data export commands. Ensure the LLM is robustly guarded against prompt injection attempts that would bypass the described safety procedures. Consider sandboxing the execution environment for WP-CLI commands to limit their blast radius. | LLM | SKILL.md:31 | |
| MEDIUM | User-controlled arguments passed directly to `wp` command The `scripts/wpcli_inspect.mjs` script takes `--path` and `--url` arguments directly from `process.argv` and passes them as distinct arguments to the `wp` executable via `child_process.spawnSync`. While `spawnSync` with an array of arguments prevents classic shell command injection, a malicious user could craft these arguments to potentially alter the behavior of the `wp` command in unintended ways (e.g., by injecting additional `wp` flags like `--skip-plugins` or `--allow-root` if not already intended, or by causing `wp` to misinterpret subsequent arguments). This relies on how `wp` itself parses arguments. Implement strict validation and sanitization of user-provided `--path` and `--url` values before passing them to the `wpcli_inspect.mjs` script. Ensure that these values only contain valid file paths or URLs and do not contain characters that could be interpreted as additional command-line flags or options by `wp`. For example, validate that paths are absolute and exist within an allowed directory, and URLs are well-formed. | LLM | scripts/wpcli_inspect.mjs:30 | |
| LOW | `--allow-root` flag can be passed to WP-CLI The `wpcli_inspect.mjs` script includes logic to accept and pass the `--allow-root` flag to WP-CLI. This flag bypasses WP-CLI's safety check that prevents running commands as the root user, which can lead to severe system damage if misused. While the `SKILL.md` does not explicitly instruct the agent to use `--allow-root` for inspection, its availability in the script means a malicious prompt could instruct the LLM to use it, potentially escalating privileges for WP-CLI operations. Re-evaluate the necessity of the `--allow-root` flag for the `wpcli_inspect.mjs` script. If not strictly required for inspection, remove the parsing and passing of this flag. If it is required for specific, rare scenarios, ensure that its use is subject to explicit human approval and strict contextual checks by the LLM. | LLM | scripts/wpcli_inspect.mjs:10 |
Scan History
Embed Code
[](https://skillshield.io/report/9a746afe1d998526)
Powered by SkillShield