Trust Assessment
wp-project-triage received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Potential Credential Harvesting from wp-config.php.
The analysis covered 4 layers: dependency_graph, llm_behavioral_safety, manifest_analysis, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit cdc950d5). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Credential Harvesting from wp-config.php The script at `scripts/detect_wp_project.mjs` includes a function `detectConfigConstants` that actively searches for, reads, and parses `wp-config.php`. This file contains highly sensitive credentials, including database connection details (DB_USER, DB_PASSWORD) and authentication secret keys. The script reads the full file content and is designed to extract defined constants. If these sensitive values are included in the script's JSON output, they would be exposed to the LLM context and logs, leading to a severe information disclosure vulnerability and potential database compromise. Modify the `detectConfigConstants` function to use a strict allow-list of safe, non-sensitive constants (e.g., `WP_DEBUG`, `WP_ENVIRONMENT_TYPE`). The parsing logic must explicitly ignore and never return any credentials, keys, salts, or other unknown constants. A safer alternative would be to remove the function entirely if its output is not essential for the agent's primary task. | Unknown | scripts/detect_wp_project.mjs:238 |
Scan History
Embed Code
[](https://skillshield.io/report/0857bb4efd5a2f0b)
Powered by SkillShield