← Back to Skills Marketplace
444
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install jrb-remote-site-api-skill-repo
Description
Interface with WordPress sites via jrb-remote-site-api plugin for admin tasks, content CRUD, plugin/theme management, and Fluent suite integrations through R...
README (SKILL.md)
JRB Remote Site API Skill
Interface with WordPress sites running the jrb-remote-site-api plugin. This skill enables AI agents to perform administrative tasks, content management, and integration with the Fluent suite (CRM, Forms, Support, etc.) via a secure REST API.
Configuration
Required environment variables for targeting a site:
JRB_API_URL: The base URL of the site (e.g.,https://jrbconsulting.au)JRB_API_TOKEN: The secure API token configured in the plugin settings
Core Capabilities
1. System & Auth
- Ping: Verify connection and token validity.
- Site Info: Get WordPress version, active theme, plugin version, and capabilities.
2. Content Management (CRUD)
- Posts & Pages: Create, read, update, delete, and list. Supports custom statuses (draft, publish, private).
- Media: Upload and manage files in the WordPress Media Library.
3. Plugin & Theme Management
- Plugins: List, install, activate, deactivate, update, and delete.
- Themes: List active/available themes, switch themes, install from URL.
4. Fluent Suite Integration (Modules)
- FluentCRM: Manage contacts, lists, tags, and campaigns.
- FluentSupport: Professional ticket management and customer support.
- FluentProject: Task and project management automation.
- FluentBoards: Advanced board and task management.
Usage Patterns
Verification
curl -H "X-JRB-Token: \$JRB_API_TOKEN" "\$JRB_API_URL/wp-json/jrb-remote/v1/site"
Create a Page
curl -X POST -H "X-JRB-Token: \$JRB_API_TOKEN" \\
-H "Content-Type: application/json" \\
-d '{"title": "New Page", "content": "Hello World", "status": "publish"}' \\
"\$JRB_API_URL/wp-json/jrb-remote/v1/pages"
Installation
This skill is designed to work with the JRB Remote Site API WordPress plugin.
To install:
clawhub install jrb-remote-site-api
Usage Guidance
This skill appears to be what it says (a wrapper for the JRB Remote Site API), but the published metadata does not declare the environment variables or credential file the SKILL.md and README say are required. Before installing: 1) Confirm the skill's publisher and the plugin sources (WordPress plugin page / GitHub) are legitimate. 2) Do not place site tokens in broadly accessible/shared config files; prefer per-site, least-privilege tokens and limit their scope. 3) Update your agent config to explicitly provide JRB_API_URL and JRB_API_TOKEN and verify the agent will only read intended credential files (inspect agent/tooling behavior). 4) If you need stronger assurance, ask the publisher for a clear install manifest and for the skill metadata to list required env vars and any config paths it will read. 5) Monitor actions taken by the agent (audit logs) when first using the skill. These steps reduce the risk that the agent will access or transmit credentials unexpectedly.
Capability Analysis
Type: OpenClaw Skill
Name: jrb-remote-site-api-skill-repo
Version: 1.0.0
The skill is classified as suspicious due to its extremely broad and high-risk capabilities, particularly the 'Plugin & Theme Management' functions described in SKILL.md. The ability to install plugins and themes from arbitrary URLs on a target WordPress site presents a critical Remote Code Execution (RCE) vulnerability. While these capabilities might be intended for legitimate administrative tasks, they can be easily abused through prompt injection or a compromised agent to install malicious software, leading to full compromise of the target WordPress site. There is no direct evidence of intentional malicious behavior by the skill itself (e.g., exfiltration from the agent's host), but the inherent power granted makes it a significant security risk.
Capability Assessment
Purpose & Capability
The skill claims WordPress admin and Fluent-suite integration via the jrb-remote-site-api plugin, which coherently requires a site URL and API token; however the published registry metadata lists no required environment variables or primary credential even though SKILL.md explicitly requires JRB_API_URL and JRB_API_TOKEN. This mismatch between declared metadata and actual runtime needs is unexpected.
Instruction Scope
SKILL.md contains concrete curl examples using JRB_API_URL and JRB_API_TOKEN and describes admin actions (content CRUD, plugin/theme management, media uploads). The README further suggests storing/looking up multiple site credentials in a .credentials/jrb-sites.json mapping and says the agent will 'look up' credentials — implying the agent may read local credential files/config that are not declared in the skill metadata. The instructions do not direct data to unexpected external endpoints, but they do imply filesystem access to agent credential storage without declaring or documenting that access.
Install Mechanism
This is an instruction-only skill (no install spec or code files). README points to the official plugin and GitHub repo and suggests 'clawhub install jrb-remote-site-api', but there is no bundled install that would place code on disk. Because nothing is downloaded or executed by the skill itself, install risk is low — however the guidance about using clawhub and the external plugin should be validated by the user (confirm plugin source and version).
Credentials
The runtime instructions legitimately require two secrets (JRB_API_URL and JRB_API_TOKEN). The skill metadata, however, declares no required env vars or primary credential. README also recommends storing multiple tokens in a .credentials file, which increases the places secrets may live. The absence of declared credential requirements in the registry is a proportionality/documentation mismatch and raises the risk of unexpected credential access by the agent.
Persistence & Privilege
The skill does not request always:true, does not include an install that writes persistent binaries, and does not claim to modify other skills or system-wide settings. Agent autonomous invocation is enabled by default but not unusual; nothing in the skill requests elevated persistent privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install jrb-remote-site-api-skill-repo - After installation, invoke the skill by name or use
/jrb-remote-site-api-skill-repo - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Interface for remote WordPress administration via the JRB Remote Site API.
- Connect to and authenticate with WordPress sites using secure tokens.
- Full CRUD support for posts, pages, and media files.
- Manage plugins and themes (install, activate, update, delete, or switch).
- Integrate and automate tasks with the Fluent suite (CRM, Forms, Support, Project, Boards).
- Simple curl usage examples and installation instructions included.
Metadata
Frequently Asked Questions
What is Jrb Remote Site Api Skill Repo?
Interface with WordPress sites via jrb-remote-site-api plugin for admin tasks, content CRUD, plugin/theme management, and Fluent suite integrations through R... It is an AI Agent Skill for Claude Code / OpenClaw, with 444 downloads so far.
How do I install Jrb Remote Site Api Skill Repo?
Run "/install jrb-remote-site-api-skill-repo" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Jrb Remote Site Api Skill Repo free?
Yes, Jrb Remote Site Api Skill Repo is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Jrb Remote Site Api Skill Repo support?
Jrb Remote Site Api Skill Repo is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Jrb Remote Site Api Skill Repo?
It is built and maintained by Joel (@jrbconsulting-joel); the current version is v1.0.0.
More Skills