wp-playground
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): The skill frequently uses
npx @wp-playground/cli@latestto fetch and execute the WordPress Playground command-line interface. Although WordPress is a reputable organization, this package source is not on the explicit trusted list provided in the security guidelines. Severity is low as this is the primary tool required for the skill's functionality. - [COMMAND_EXECUTION] (LOW): The skill provides instructions for executing various shell commands (
server,run-blueprint,build-snapshot) to manage local environments. These are standard operations for development tools. - [REMOTE_CODE_EXECUTION] (LOW): The
run-blueprintfunctionality allows fetching JSON recipes from remote URLs. These recipes can contain arunPHPstep, which executes arbitrary PHP code. While the code is executed within a WebAssembly-based isolated environment, users should exercise caution when loading blueprints from unverified external URLs. - [PROMPT_INJECTION] (SAFE): No patterns of direct prompt injection or instructions to bypass safety filters were detected in the skill files.
- [DATA_EXFILTRATION] (SAFE): No evidence of exfiltration of sensitive files or hardcoded credentials. The documentation explicitly warns users to ensure mounted code is clean of secrets.
Audit Metadata