← 返回 Skills 市场
372
总下载
1
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install wordpress-selfhosted
功能描述
Manage a self-hosted WordPress site via SSH+WP-CLI (primary) and WP REST API (when direct HTTPS access is available). Use when asked to write, draft, publish...
安全使用建议
This skill appears to do what it says, but pay attention to operational security before installing:
- Pre-populate known_hosts or avoid accept-new: remove -o StrictHostKeyChecking=accept-new and add the host key to known_hosts to avoid TOFU risks.
- Protect app passwords: using op is good, but be aware that passing credentials on command lines (curl -u "user:pass") or storing them in environment variables can expose them in process listings or logs on some systems; prefer using stdin, files with restrictive perms, or authenticated HTTP headers when possible.
- Remote /tmp use: SCPing files to /tmp on the remote machine is convenient but can be risky on multi-tenant systems; ensure the SSH account and remote /tmp permissions are appropriate and that files are removed promptly (the instructions do this, but verify it in practice).
- Least privilege SSH user: give the WP SSH user only the permissions it needs (wp-cli operations) and avoid using root or overly privileged accounts.
- 1Password/SSH agent: ensure your SSH agent socket and 1Password agent are properly secured and that PTY requirements are acceptable for automation.
- Test in a safe environment first: validate the flow on a staging site and confirm REST auth behavior (proxies, Cloudflare, and Wordfence may block app passwords) before running on production.
If you cannot or will not accept the TOFU pattern, remote /tmp writes, or the credential handling model described, do not enable the skill until those operational details are addressed.
功能分析
Type: OpenClaw Skill
Name: wordpress-selfhosted
Version: 1.0.3
The skill bundle provides the agent with high-risk capabilities, including remote shell access via SSH and file transfers via SCP to manage a WordPress installation. While these actions are aligned with the stated purpose, the instructions in SKILL.md include risky practices such as using 'StrictHostKeyChecking=accept-new' (TOFU) and revealing credentials via the 1Password CLI ('op item get --reveal'). The use of shell command templates also introduces a potential surface for shell injection if the agent handles unsanitized input during execution.
能力评估
Purpose & Capability
Required binaries (ssh, scp, wp, curl, jq) and required env vars (WP_HOST, WP_SSH_USER, WP_ROOT) directly match the declared purpose of operating WordPress over SSH/WP-CLI and REST. The optional 'op' (1Password CLI) is a reasonable convenience for credential hydration. No unrelated services, binaries, or credentials are requested.
Instruction Scope
The SKILL.md stays within the scope of WordPress management, describing SSH/WP-CLI flows, REST calls, temp-file handling, and optional 1Password integration. However there are noteworthy security considerations in the instructions: it recommends -o StrictHostKeyChecking=accept-new (trust-on-first-use), it uploads post HTML into /tmp on the remote host (multi-tenant /tmp could be a concern), it retrieves app passwords into shell variables and uses curl -u "user:pass" which may risk exposure in some environments or logs, and it requires PTY for macOS 1Password agent flows. These are operational risks (not incoherence) that the user should weigh and mitigate.
Install Mechanism
Instruction-only skill with no install spec or remote downloads; lowest install risk because nothing is written to disk by the skill package itself. All runtime behavior depends on existing tooling on the host environment.
Credentials
Only WP_HOST, WP_SSH_USER, and WP_ROOT are required (all relevant). Optional settings (WP_USER, WP_1P_ITEM) are justified by the documented 1Password and REST flows. No unrelated secrets or broad cloud credentials are requested.
Persistence & Privilege
Does not request always:true and is user-invocable. It does not modify other skills or require system-wide config changes. Autonomous invocation is permitted by default (platform normal), but this skill's requested privileges are not unusually broad.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wordpress-selfhosted - 安装完成后,直接呼叫该 Skill 的名称或使用
/wordpress-selfhosted触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.3
Declare WP_HOST/WP_SSH_USER/WP_ROOT as required env vars (gating); switch SSH default to StrictHostKeyChecking=accept-new; document StrictHostKeyChecking=no as CI-only opt-in
v1.0.2
Security scan fixes: temp file cleanup pattern, ssh-keyscan alternative, op --reveal behavior documented, config requirements explicit
v1.0.1
Security scan fixes: declare op as optional bin, add Security Notes section, document SSH/credential flows
v1.0.0
Initial release — SSH+WP-CLI primary, REST API conditional, Cloudflare/SSL mismatch documented
元数据
常见问题
WordPress Self-Hosted 是什么?
Manage a self-hosted WordPress site via SSH+WP-CLI (primary) and WP REST API (when direct HTTPS access is available). Use when asked to write, draft, publish... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 372 次。
如何安装 WordPress Self-Hosted?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wordpress-selfhosted」即可一键安装,无需额外配置。
WordPress Self-Hosted 是免费的吗?
是的,WordPress Self-Hosted 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
WordPress Self-Hosted 支持哪些平台?
WordPress Self-Hosted 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin, linux)。
谁开发了 WordPress Self-Hosted?
由 Eddy(@eddygk)开发并维护,当前版本 v1.0.3。
推荐 Skills