wordpress-router
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local Node.js script located at
skills/wp-project-triage/scripts/detect_wp_project.mjs. This script is used for repository triage and classification, which is a standard part of the skill's primary functionality. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by reading user-controlled repository configuration files (e.g.,
package.json,composer.json,style.css) to classify projects. This behavior is documented as safe as it is essential for the tool's routing logic and lacks dangerous downstream side effects. - [SAFE]: No remote code downloads, data exfiltration, or obfuscation patterns were identified. The filesystem access is restricted to reading public project manifests within the target repository.
Audit Metadata