← 返回 Skills 市场

Wordpress REST API

Name: Wordpress REST API
Author: codedao12

作者 codedao12 · GitHub ↗ · v1.0.0

cross-platform ✓ 安全检测通过

5192

总下载

当前安装

版本数

在 OpenClaw 中安装

/install wordpress

功能描述

OpenClaw skill that provides a WordPress REST API CLI for posts, pages, categories, tags, users, and custom requests using plain HTTP.

使用说明 (SKILL.md)

WordPress REST API Skill (Advanced)

Purpose

Provide a production-ready CLI for WordPress REST API automation. This skill focuses on content workflows (posts/pages), taxonomy (categories/tags), user reads, and safe custom requests without external HTTP libraries.

Best fit

You want a stable CLI for automation and bot workflows.
You need JSON-in/JSON-out for pipelines.
You prefer simple HTTP with no extra dependencies.

Not a fit

You must handle OAuth flows or complex browser-based auth.
You need advanced media uploads (multipart streaming).

Requirements

Node.js 18+ (for native fetch).

One-time setup

Enable the WordPress REST API (default in modern WordPress).
Create an Application Password for a WordPress user.
Confirm the user has the right role (e.g., Editor/Admin).

Install

cd wordpress
npm install

Run

node scripts/wp-cli.js help
node scripts/wp-cli.js posts:list --query per_page=5
node scripts/wp-cli.js posts:create '@post.json'

You can also use npm:

npm run wp -- posts:list --query per_page=5

Credentials

Supported options (first match wins):

Basic auth token: WP_BASIC_TOKEN (base64 of user:app_password)
User + app password: WP_USER + WP_APP_PASSWORD
JWT bearer token: WP_JWT_TOKEN

Required env

WP_BASE_URL (e.g., https://example.com)

Input conventions

JSON can be inline or loaded from file with @path.
Query params use --query key=value (repeatable) or --query key1=value1,key2=value2.

Command map (high level)

Posts:

posts:list, posts:get, posts:create, posts:update, posts:delete

Pages:

pages:list, pages:get, pages:create, pages:update, pages:delete

Taxonomy:

categories:list, categories:create
tags:list, tags:create

Users:

users:list, users:get

Advanced:

request (raw method + path)

Operational guidance

Prefer context=view for read-only list calls.
Use status=draft when staging content.
Implement retries for 429 and transient 5xx errors in orchestrators.

Expected output

JSON to stdout; non-zero exit code on errors.

Security notes

Never log or commit tokens or application passwords.
Use a dedicated low-privilege WordPress account where possible.

安全使用建议

Install only if you want an agent to operate a WordPress site through the REST API. Configure WP_BASE_URL to the intended HTTPS site, use a dedicated low-privilege WordPress application password, avoid passing sensitive local files with @file, and require explicit approval before create, update, delete, publish, or raw request commands.

功能分析

Type: OpenClaw Skill Name: wordpress Version: 1.0.0 The skill is classified as suspicious due to its ability to read arbitrary local files and send their content as JSON payloads to the configured WordPress API. Specifically, the `jsonFromArg` function in `scripts/wp-cli.js` uses `fs.readFileSync` on user-provided file paths (prefixed with '@'), which could be exploited by a compromised agent or malicious user to read sensitive files (e.g., `/etc/passwd`, SSH keys) and exfiltrate them via the WordPress API. Additionally, the `request` command allows arbitrary HTTP methods and paths relative to the WordPress API root, granting broad control over the target WordPress instance.

能力评估

ℹ Purpose & Capability

The ability to list, create, update, and delete WordPress posts/pages and create taxonomy terms matches the stated WordPress REST API automation purpose. The high-impact content mutation capability is disclosed and expected.

ℹ Instruction Scope

Commands are explicit in the documentation, including JSON input via @file and an advanced raw request command. The raw request path is broad within the WordPress REST API, so it should only be used for clearly user-directed operations.

✓ Install Mechanism

The package defines local Node.js script aliases and has no external npm dependencies, remote installer, hidden downloads, or automatic startup behavior.

ℹ Credentials

The skill reads WP_BASE_URL and optional WordPress auth environment variables, which is proportionate for a WordPress API integration and disclosed in SKILL.md and env_example.md.

ℹ Persistence & Privilege

No persistence, background worker, or privilege escalation is shown. Effective authority depends on the WordPress account or token supplied, which may allow publishing, editing, deleting, or user reads.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install wordpress
安装完成后，直接呼叫该 Skill 的名称或使用 /wordpress 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of the WordPress REST API CLI skill. - Provides a simple CLI for automating WordPress post, page, taxonomy, and user management via the REST API. - Supports JSON-in/JSON-out workflows with minimal dependencies (only native HTTP). - Credentials can be supplied via environment variables for Basic, App Password, or JWT authentication. - Allows advanced custom requests and input via file or command line. - Installation and setup require Node.js 18+ and WordPress REST API/application passwords. - Includes operational guidance and security best practices in documentation.

元数据

Slug wordpress

版本 1.0.0

许可证 —

累计安装 24

当前安装数 24

历史版本数 1

常见问题