wp-apis
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- Data Exposure & Exfiltration (SAFE): The code examples for the WordPress HTTP API use placeholder URLs (api.example.com) and demonstrate the proper use of authorization headers with variables rather than hardcoded secrets.
- Indirect Prompt Injection (LOW): The skill provides examples for shortcodes and meta boxes that ingest external data.
- Ingestion points: Shortcode attributes and meta box POST data.
- Boundary markers: None explicitly for LLMs, as this is PHP code.
- Capability inventory: No unsafe subprocess calls; uses standard WordPress database APIs.
- Sanitization: Examples correctly use
sanitize_text_field(),wp_unslash(),esc_html(), andesc_attr()to handle untrusted input. - Command Execution (SAFE): A documentation snippet shows a standard system crontab entry for WP-CLI. This is a common administrative instruction for server-side task scheduling and does not constitute a malicious exploit.
- Persistence Mechanisms (SAFE): Includes standard usage of
wp_schedule_eventfor background maintenance tasks, which is an intended architectural feature of WordPress.
Audit Metadata