← Back to Skills Marketplace
WordPress Remote News Publisher
by
Emilio Petrozzi
· GitHub ↗
· v1.0.0
453
Downloads
1
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install wordpress-remote-news-publisher
Description
Automates news article creation and publishing to remote WordPress via SSH and WP-CLI, including image handling and SEO metadata integration.
Usage Guidance
This skill appears to perform what it says (generate articles, download an Unsplash image, and publish via SSH+WP‑CLI), but there are a few things you should verify before installing or running it:
- Registry metadata mismatch: the skill package requires SSH and Unsplash credentials and certain binaries, but the registry entry lists none. Treat the registry info as incomplete and inspect the included SKILL.md and scripts (you already have them).
- SSH key risk: the scripts require WP_SSH_KEY (a private key path). Only supply a key that is limited in scope on the remote host (not a full root or multi-service key). Prefer a deploy-only account and restrict commands allowed by that key if possible.
- Host-key verification: the scripts set StrictHostKeyChecking=no (disables host key checks). This eases automation but increases MITM risk. Prefer to manually verify and pin the remote host key or remove that option once keys/hosts are trusted.
- Telegram notification is referenced but no configuration is provided — confirm how notifications are implemented before relying on them.
- Temporary files: artifacts (article JSON, media ID, cover metadata) are stored in /tmp. If you run this on a multi-user machine, be aware other users may read those files; consider changing locations or setting restrictive permissions.
- Testing recommendation: run the scripts in an isolated environment first (a staging WordPress instance) with a restricted SSH key and a test Unsplash key. Review and, if desired, remove any insecure SSH options and ensure the remote WP user has limited privileges.
If you need higher assurance, ask the publisher to update the registry metadata to list required env vars and binaries, and to document the Telegram notification mechanism and any remote privileges the SSH account requires.
Capability Analysis
Type: OpenClaw Skill
Name: wordpress-remote-news-publisher
Version: 1.0.0
The skill is classified as suspicious due to several security vulnerabilities, primarily the use of `StrictHostKeyChecking=no` in all SSH and SCP commands across `SKILL.md`, `publish_wp_remote.sh`, and `upload_media_remote.sh`, which disables host key verification and exposes the connection to Man-in-the-Middle attacks. Additionally, the `publish_wp_remote.sh` script uses `file://` paths for post content in remote WP-CLI commands, which could be exploited for Local File Inclusion or Remote Code Execution if the AI agent's generated content (saved to `/tmp/wp_article.json`) were maliciously manipulated. While the skill's stated purpose is legitimate, these flaws present significant attack surfaces without clear evidence of intentional malicious exploitation by the author.
Capability Assessment
Purpose & Capability
SKILL.md and the included scripts clearly need SSH access (WP_SSH_HOST, WP_SSH_USER, WP_SSH_KEY, WP_REMOTE_PATH, etc.), Unsplash API key, and binaries (ssh, scp, python3, convert). However the registry top-level metadata listed 'Required env vars: none' and 'Required binaries: none', which is inconsistent and misleading. The requested credentials (SSH private key path and Unsplash key) are coherent with the stated purpose, but the omission in registry metadata is a red flag for mismatched declarations.
Instruction Scope
The SKILL.md instructions stay largely within the stated purpose: generate articles, download and optimize an Unsplash image, SCP it to the remote server, and run WP-CLI remotely. Concerns: (1) It says 'If this fails, abort and notify via Telegram with error details' but provides no Telegram configuration or env var — that step is underspecified and could lead to ad-hoc messaging behavior. (2) SSH commands use '-o StrictHostKeyChecking=no', which disables host-key verification (convenient but insecure and increases MITM risk). (3) Temporary files are written under /tmp (e.g., /tmp/wp_article.json, /tmp/wp_media_id.txt) which is normal but review who can read /tmp on the environment.
Install Mechanism
There is no install spec (instruction-only plus packaged scripts). No remote downloads or archive extraction at install time. The code files are included in the skill package, so no external install URLs to audit — this is lower install-time risk.
Credentials
The environment variables required by the scripts (WP_SSH_HOST, WP_SSH_USER, WP_SSH_KEY, WP_REMOTE_PATH, WP_AUTHOR_ID, UNSPLASH_ACCESS_KEY, etc.) are proportionate to the functionality (remote SSH access and Unsplash access). The main issue is that the skill registry metadata did not declare these required env vars or binaries — a transparency/integrity problem. Also the skill requires the path to a private SSH key (sensitive); ensure that key has restricted scope and permissions and consider using a key with least privilege on the remote host.
Persistence & Privilege
The skill does not request 'always: true' and does not attempt to modify other skills or system-wide settings. It runs when invoked; autonomous invocation is allowed by default (normal). It stores temporary state in /tmp (media ID, article JSON, post ID) but does not persist credentials or enable itself automatically.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install wordpress-remote-news-publisher - After installation, invoke the skill by name or use
/wordpress-remote-news-publisher - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
WordPress Remote News Publisher v1.0.0
- Initial public release: automated news article generation and remote WordPress publishing via SSH and WP-CLI.
- Includes full editorial workflow with source-verifiable facts, journalistic structure, and Yoast SEO meta integration.
- Automated image pipeline: downloads, optimizes, and uploads Unsplash covers.
- Configurable via environment variables and JSON; supports cron scheduling and manual triggers.
- Robust SSH key setup and connectivity verification; sends Telegram updates for errors and publishing confirmation.
Metadata
Frequently Asked Questions
What is WordPress Remote News Publisher?
Automates news article creation and publishing to remote WordPress via SSH and WP-CLI, including image handling and SEO metadata integration. It is an AI Agent Skill for Claude Code / OpenClaw, with 453 downloads so far.
How do I install WordPress Remote News Publisher?
Run "/install wordpress-remote-news-publisher" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is WordPress Remote News Publisher free?
Yes, WordPress Remote News Publisher is completely free (open-source). You can download, install and use it at no cost.
Which platforms does WordPress Remote News Publisher support?
WordPress Remote News Publisher is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created WordPress Remote News Publisher?
It is built and maintained by Emilio Petrozzi (@promoweb); the current version is v1.0.0.
More Skills