Skills
skills/asif2bd/wordpress-publishing-skill-for-claude/wordpress-publisher/Snyk

wordpress-publisher

Fail

Audited by Snyk on Mar 8, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). This skill explicitly asks the user for an application password and shows code that embeds the password directly in constructor/API calls and test requests, which requires the LLM to handle and potentially output the secret verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and analyzes content from user-specified WordPress sites via the REST API (e.g., wp.get_categories_with_details(), wp.fetch_preview(), wp.verify_published_post in SKILL.md), and that untrusted, user-generated site content is parsed and used to suggest categories, generate tags, validate previews, and decide publish actions, which could enable indirect prompt injection.
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 8, 2026, 09:21 PM