wp-plugin-dev
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection as it processes untrusted user requirements to generate plugin code. Ingestion points: User-provided feature requirements gathered in the initial workflow steps of SKILL.md. Boundary markers: None identified; the skill does not use specific delimiters or instructions to treat user input as untrusted data. Capability inventory: The skill provides instructions to write generated code to the local file system (e.g., /mnt/user-data/outputs/). Sanitization: There is no sanitization of user requirements before they are interpolated into the plugin code templates.
- [SAFE]: The skill incorporates extensive security documentation in references/security.md and references/wp-org-guidelines.md, mandating the use of WordPress security functions such as $wpdb->prepare(), sanitize_text_field(), and wp_verify_nonce().
- [SAFE]: The architecture follows modern WordPress development standards, utilizing modular classes and official coding conventions to minimize the risk of vulnerabilities in the generated plugins.
Audit Metadata