wp-to-static
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION] (SAFE): The skill utilizes command-line tools for site migration. It incorporates specific safety instructions, such as verifying SSH host keys and using
ssh-agent, to ensure secure communication without bypassing standard security protocols. - [DATA_EXPOSURE] (SAFE): While the skill manages access to a WordPress server and SSH keys, it provides clear instructions to avoid hardcoding credentials and includes mandatory steps to exclude sensitive server-side files (e.g.,
wp-config.php,.env) from being downloaded or committed to version control. - [INDIRECT_PROMPT_INJECTION] (LOW):
- Ingestion points: Remote WordPress files (HTML, CSS, JS) are fetched from the server via
wgetandrsync(File:SKILL.md). - Boundary markers: Absent; the skill processes fetched content as raw text for replacement logic without explicit isolation.
- Capability inventory: Includes
Bash,Write,Edit,WebFetch, andTasktools, which could be used to execute commands or modify files if the agent were manipulated. - Sanitization: The skill includes a 'Strip WordPress Cruft' step (Step 7) which removes metadata and comments, providing a layer of sanitization for the generated static output.
Audit Metadata