Trust Assessment
wordpress-publisher received a trust score of 80/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 0 high, 3 medium, and 0 low severity. Key findings include Suspicious import: requests, Unpinned Python dependency version, Dynamic Dependency Download and Undeclared Libraries.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/asif2bd/wordpress-publishing-skill-for-claude/scripts/wp_publisher.py:12 | |
| MEDIUM | Unpinned Python dependency version Requirement 'requests>=2.25.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/asif2bd/wordpress-publishing-skill-for-claude/requirements.txt:4 | |
| MEDIUM | Dynamic Dependency Download and Undeclared Libraries The `scripts/wp_publisher.py` file attempts to download NLTK data (`stopwords`, `punkt`) at runtime using `nltk.download()`. This introduces a dynamic dependency from an external source, which can pose a supply chain risk if the NLTK data server were compromised. This also represents an excessive permission (uncontrolled network access for data download) for a skill that should ideally be self-contained. Additionally, `nltk`, `rake_nltk`, and `keybert` are conditionally imported and used for tag generation but are not declared in `requirements.txt`. This lack of explicit dependency declaration makes the skill's full dependency tree opaque and can lead to unexpected behavior or security vulnerabilities if these undeclared libraries or their sub-dependencies are compromised. 1. Declare all dependencies: Add `nltk`, `rake_nltk`, and `keybert` with appropriate version pins to `requirements.txt`. 2. Pre-package NLTK data: Instead of dynamic download, ensure NLTK data (`stopwords`, `punkt`) is pre-packaged with the skill or available in the execution environment. Remove the `nltk.download()` calls. 3. Explicitly allow/warn: If dynamic download is strictly necessary, the skill's manifest or documentation should explicitly state this network requirement and its purpose, and the host environment should have mechanisms to control or approve such downloads. | LLM | scripts/wp_publisher.py:995 |
Scan History
Embed Code
[](https://skillshield.io/report/b77d46c91c4ae2d1)
Powered by SkillShield