wp-plugin-development
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The detect_plugins.mjs script parses WordPress plugin headers from repository files. This is an indirect prompt injection surface because malicious content within a plugin's name or description could potentially influence the AI agent's behavior.
- Ingestion points: The script reads the first 128KB of all .php files in the repository workspace.
- Boundary markers: Extracted header data is formatted as a JSON object, providing some structural separation from instructions.
- Capability inventory: The skill environment supports file system operations and command execution via Node.js, Bash, and WP-CLI.
- Sanitization: No sanitization is performed on the text extracted from the plugin headers beyond basic trimming.
Audit Metadata