wordpress-remote-cli

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). The raw GitHub URL points to a direct install.sh served from an unfamiliar repo and is used with a curl | bash pattern (high-risk for running arbitrary code), while the example.com image is benign; overall the presence of the executable shell script makes this set suspicious.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). wpklx dynamically discovers and fetches runtime content and routes from arbitrary WordPress sites via their /wp-json REST API (e.g., discover, post list/get, media upload, and examples that mirror or pipe post content), which exposes the agent to untrusted user-generated posts, comments, media, and plugin-provided resources.