Trust Assessment
wp-playground received a trust score of 71/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 3 medium, and 0 low severity. Key findings include Unpinned Dependency in npx Command, Potential Data Exposure via Implicit Directory Mounting, Remote Code Execution via Untrusted Blueprint URL.
The analysis covered 4 layers: dependency_graph, llm_behavioral_safety, static_code_analysis, manifest_analysis. The llm_behavioral_safety layer scored lowest at 64/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit cdc950d5). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned Dependency in npx Command The skill instructs the use of `npx @wp-playground/cli@latest` in multiple commands. The `@latest` tag pulls and executes the most recent version of the package from npm. If the package is compromised or hijacked, this could lead to arbitrary code execution on the host machine running the agent. This pattern is repeated on lines 47 and 54. Pin the package to a specific, known-good version hash (e.g., `npx @wp-playground/cli@1.2.3`). The agent's tool-use policy should enforce version pinning for all executed packages to mitigate supply chain attacks. | Unknown | SKILL.md:32 | |
| MEDIUM | Potential Data Exposure via Implicit Directory Mounting The `--auto-mount` flag mounts the agent's current working directory into the WordPress Playground instance. If an agent is manipulated into executing this command from a directory containing sensitive files (e.g., user's home directory, `.git` folder, or cloud credential storage), those files become accessible to code running inside the Playground sandbox, risking data exfiltration. The agent should enforce a strict working directory policy, operating only from designated, non-sensitive workspace directories. The skill should be updated to explicitly warn about the risk of running `auto-mount` from arbitrary locations. | Unknown | SKILL.md:32 | |
| MEDIUM | Remote Code Execution via Untrusted Blueprint URL The command `run-blueprint --blueprint=<file-or-url>` allows executing a WordPress setup script (Blueprint) from a remote URL. If an attacker can control this URL, they can trick the agent into running a malicious blueprint, leading to code execution (e.g., via a malicious plugin) within the sandboxed Playground environment. This could be used to attack other services on the local network or exfiltrate data from mounted volumes. The agent should be configured to only use blueprints from a trusted, allow-listed set of URLs or from local, vetted files. Disallow passing arbitrary, user-provided URLs to this parameter. | Unknown | SKILL.md:47 | |
| MEDIUM | Local File Disclosure via Insecure Blueprint Flag The skill suggests using `--blueprint-may-read-adjacent-files` to allow a blueprint to access other files in its directory. If an attacker can control the blueprint file (e.g., by providing a malicious blueprint for the agent to save and run), they could use this feature to read and potentially exfiltrate other sensitive files stored in the same directory. The agent should avoid using the `--blueprint-may-read-adjacent-files` flag. If its use is unavoidable, blueprints should be run from a dedicated, isolated directory containing only the blueprint and its intended assets, with no other sensitive files present. | Unknown | SKILL.md:50 |
Scan History
Embed Code
[](https://skillshield.io/report/2a94f39e365a5d38)
Powered by SkillShield