wp-cloudsync-master

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] This skill/documentation appears coherent and consistent with a legitimate WordPress media-offload plugin. The primary risks are supply-chain (PRO ZIP from vendor site), credential handling (storing/using high-value keys and service account JSON via env, CLI flags, wp-config, or DB), and destructive settings (deleting local files after upload). No direct evidence of malicious code or obfuscated payloads is present in the provided text. Recommend treating credentials carefully (use environment variables or secure secret storage, avoid secrets in CLI flags/shell history), verify vendor downloads (checksum/signing), and review plugin behavior in a staging environment before wide deployment. LLM verification: This SKILL.md is documentation for a WordPress plugin management skill. It is functionally consistent with its stated purpose: it legitimately requests cloud storage credentials and points to provider endpoints. No explicit malicious code or credential-exfiltration patterns are present in the provided document. Primary risks are supply-chain (downloading the PRO ZIP from the vendor site without integrity verification), sensitive-credential handling (encouraging use of access keys and service acc