wp-orchestrator
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The
INSTALL.mdfile directs users to clone a repository from an untrusted GitHub account (CrazySwami/wordpress-dev-skills). This bypasses the safety of vetted skill sources. - REMOTE_CODE_EXECUTION (HIGH): The skill provides explicit instructions to grant execution permissions (
chmod +x) to downloaded scripts and run them viapython3andnode. This includes scripts likeextract-brand.py,screenshot.py, andaudit.pywhich are not part of the provided file set and must be fetched from the remote repository. - PROMPT_INJECTION (MEDIUM): The skill is vulnerable to indirect prompt injection (Category 8) by processing untrusted data from external URLs.
- Ingestion points: Untrusted data enters via the
--urland--base-urlparameters inDISCOVERY.mdandINSTALL.mdwhen runningextract-brand.py,screenshot.py, andaudit.py. - Boundary markers: No boundary markers or 'ignore' instructions are present to prevent malicious content on the target websites from influencing the agent.
- Capability inventory: The skill possesses significant capabilities including file system writes (
--outputflags), network requests (requests,playwright), and shell execution via slash commands. - Sanitization: No sanitization or validation of the external content is mentioned or implemented in the instructions.
- COMMAND_EXECUTION (MEDIUM): The skill defines multiple slash commands (
/wp-setup,/wp-audit,/wp-launch) that execute complex sequences of shell commands, including Docker operations and script triggers, expanding the agent's attack surface.
Recommendations
- AI detected serious security threats
Audit Metadata