← 返回 Skills 市场
Wopdpress AI Blogger
作者
Bogdan Chirukin
· GitHub ↗
· v1.0.0
582
总下载
0
收藏
4
当前安装
1
版本数
在 OpenClaw 中安装
/install wordpress-api-gutenberg
功能描述
Create, edit, and publish WordPress posts via REST API with full Gutenberg block support. Use when Codex needs to automate WordPress content publishing, gene...
安全使用建议
This package appears to do what it says (create Gutenberg posts, upload media, manage categories/tags), but exercise caution before using it with real credentials or a production site. Key points to consider:
- Registry metadata does not advertise the environment variables the scripts need (WP_URL, WP_USERNAME, WP_APPLICATION_PASSWORD). Treat that omission as a red flag: verify required variables and where they are stored before use.
- Prefer creating a low-privilege WordPress account (capabilities: edit_posts, but not full admin) or use a scoped Application Password for the site instead of an admin password.
- Review the included Python scripts locally before running. They perform filesystem reads (uploads) and network requests to the specified WP_URL; ensure you won't accidentally upload sensitive local files.
- Avoid following the troubleshooting advice to disable SSL verification in production (verify=False) or to log full HTTP requests in environments where credentials or sensitive content might be recorded.
- Test on a staging site first. Confirm behavior (what gets uploaded, what fields are set) and monitor server logs for unexpected activity.
If you want higher confidence, ask the author/source for corrected registry metadata listing required env vars, or request a minimal example run showing only a safe demo against a known test site.
功能分析
Type: OpenClaw Skill
Name: wordpress-api-gutenberg
Version: 1.0.0
The skill bundle is designed for legitimate WordPress REST API interactions. However, the Python scripts `scripts/media_uploader.py` and `scripts/wp_publish.py` exhibit a local file inclusion/disclosure vulnerability. Both scripts accept file paths for media uploads (via command-line arguments, CSV files, or JSON configuration). If an attacker can control these input paths, they could specify arbitrary sensitive local files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`). The scripts would then attempt to read these files and upload their content to the configured WordPress site, leading to unintended data disclosure. This is a significant vulnerability, not evidence of intentional malicious behavior by the skill author.
能力评估
Purpose & Capability
Name/description match the included scripts: block generation, media upload, and post publishing via the WordPress REST API. The code implements the advertised features (Gutenberg serialization, media upload, categories/tags, publish workflow). However, registry metadata declares no required environment variables even though SKILL.md and the scripts clearly expect WP_URL, WP_USERNAME, WP_APPLICATION_PASSWORD (or username/password for JWT). This metadata omission is an inconsistency.
Instruction Scope
SKILL.md and the scripts remain within the stated purpose: they call WordPress REST endpoints, read files specified for upload, and serialize blocks. Some troubleshooting guidance recommends disabling SSL verification (requests.verify=False) and enabling verbose request logging; those are useful for debugging but increase risk of credential exposure if used indiscriminately. The instructions do not introduce obvious exfiltration endpoints or actions outside the WordPress domain.
Install Mechanism
No install spec (instruction-only) and no external downloads are present; risk from installation mechanism is low. The repository contains runnable Python scripts but nothing is being fetched from untrusted URLs at install time.
Credentials
The skill requires WordPress credentials to operate (application password or username/password) and expects a WP_URL, but the registry metadata lists no required env vars or primary credential — a mismatch that obscures the fact that secrets are necessary. The scripts also recommend logging requests (which can include sensitive info); combine this with missing metadata declaration and it increases the chance a user might hand over high-privilege credentials unknowingly.
Persistence & Privilege
Skill flags show no 'always:true' and it doesn't request permanent platform-level privileges. The scripts do file I/O for media uploads and read files the user instructs them to, but they do not attempt to modify other skills or system-wide agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wordpress-api-gutenberg - 安装完成后,直接呼叫该 Skill 的名称或使用
/wordpress-api-gutenberg触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of WordPress REST API skill with Gutenberg support.
- Enables creating, editing, and publishing WordPress posts programmatically using the REST API.
- Full support for Gutenberg block serialization and compatible content structure.
- Documentation for authentication via Application Passwords, JWT, and environment variables.
- Includes guides for uploading media, managing categories, tags, featured images, and custom fields (ACF).
- Provides error handling tips and troubleshooting references.
- Example scripts and templates included for publishing pipelines and block generation.
元数据
常见问题
Wopdpress AI Blogger 是什么?
Create, edit, and publish WordPress posts via REST API with full Gutenberg block support. Use when Codex needs to automate WordPress content publishing, gene... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 582 次。
如何安装 Wopdpress AI Blogger?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wordpress-api-gutenberg」即可一键安装,无需额外配置。
Wopdpress AI Blogger 是免费的吗?
是的,Wopdpress AI Blogger 完全免费(开源免费),可自由下载、安装和使用。
Wopdpress AI Blogger 支持哪些平台?
Wopdpress AI Blogger 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Wopdpress AI Blogger?
由 Bogdan Chirukin(@chirukinbb)开发并维护,当前版本 v1.0.0。
推荐 Skills