Trust Assessment
wp-playground received a trust score of 48/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Unpinned dependency execution via npx, Execution of untrusted blueprints from remote URLs or local files, Potential data exposure via mounting local directories containing secrets.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit 9b1e542c). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Unpinned dependency execution via npx The skill uses `npx @wp-playground/cli@latest` to execute the WordPress Playground CLI. Using `@latest` means the skill will always fetch and execute the newest version of the package from the npm registry. This introduces a significant supply chain risk, as a compromise of the `wp-playground/cli` package or any of its dependencies could lead to the execution of arbitrary malicious code on the host system without explicit user consent or review of the specific version being run. Pin the version of the `@wp-playground/cli` package to a specific, known-good version (e.g., `npx @wp-playground/cli@1.2.3`). Regularly review and update the pinned version to incorporate security fixes, but only after vetting the new version for security vulnerabilities. | Static | SKILL.md:36 | |
| HIGH | Execution of untrusted blueprints from remote URLs or local files The skill instructs the agent to run blueprints using `--blueprint=<file-or-url>`, explicitly mentioning support for remote URLs and local files. It also notes that `--blueprint-may-read-adjacent-files` can be used. A malicious blueprint, especially one fetched from an untrusted remote URL, could contain instructions designed to exploit vulnerabilities within the WordPress Playground environment, attempt to read sensitive local files (if `--blueprint-may-read-adjacent-files` is enabled), or exfiltrate data. The agent might not have the capability to vet the content of a blueprint before execution, leading to potential command injection or data exfiltration within the sandboxed environment. Add a strong warning to the skill advising users/agents to only run blueprints from trusted sources. If possible, implement a mechanism for the agent to prompt for user confirmation before executing blueprints from remote or unverified local paths. Consider adding a policy that disallows `--blueprint-may-read-adjacent-files` for untrusted blueprints. | Static | SKILL.md:53 | |
| MEDIUM | Potential data exposure via mounting local directories containing secrets The skill provides instructions for mounting local directories using `--auto-mount` or `--mount=/host/path:/vfs/path`. While a guardrail advises users to ensure mounted code is 'clean of secrets,' the skill itself does not prevent the agent from mounting a directory that inadvertently contains sensitive information (e.g., `.env` files, API keys, configuration files, SSH keys). This data would then be copied into the Playground's in-memory filesystem, potentially exposing it if the Playground environment is compromised or if a snapshot containing this data is shared. Enhance the guardrail by providing explicit examples of what constitutes 'secrets' and how to identify them. If the agent has capabilities to inspect file contents, it could be instructed to perform a basic scan for common secret patterns in the specified mount paths before proceeding. Alternatively, restrict the scope of `--auto-mount` to specific, known-safe subdirectories or require explicit user confirmation for mounting broader paths. | Static | SKILL.md:36 |
Scan History
Embed Code
[](https://skillshield.io/report/2a94f39e365a5d38)
Powered by SkillShield