📦 Jrb Remote Site Api Skill Repo — WordPress远程管理
v1.0.0通过 jrb-remote-site-api 插件连接任意 WordPress 站点,实现后台管理、内容 CRUD、插件/主题管理以及 Fluent 系列插件集成,一站式远程运维 WordPress。
0· 403·0 当前·0 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to be what it says (a wrapper for the JRB Remote Site API), but the published metadata does not declare the environment variables or credential file the SKILL.md and README say are required. Before installing: 1) Confirm the skill's publisher and the plugin sources (WordPress plugin page / GitHub) are legitimate. 2) Do not place site tokens in broadly accessible/shared config files; prefer per-site, least-privilege tokens and limit their scope. 3) Update your agent config to e...详细分析 ▾
ℹ 用途与能力
The skill claims WordPress admin and Fluent-suite integration via the jrb-remote-site-api plugin, which coherently requires a site URL and API token; however the published registry metadata lists no required environment variables or primary credential even though SKILL.md explicitly requires JRB_API_URL and JRB_API_TOKEN. This mismatch between declared metadata and actual runtime needs is unexpected.
⚠ 指令范围
SKILL.md contains concrete curl examples using JRB_API_URL and JRB_API_TOKEN and describes admin actions (content CRUD, plugin/theme management, media uploads). The README further suggests storing/looking up multiple site credentials in a .credentials/jrb-sites.json mapping and says the agent will 'look up' credentials — implying the agent may read local credential files/config that are not declared in the skill metadata. The instructions do not direct data to unexpected external endpoints, but they do imply filesystem access to agent credential storage without declaring or documenting that access.
ℹ 安装机制
This is an instruction-only skill (no install spec or code files). README points to the official plugin and GitHub repo and suggests 'clawhub install jrb-remote-site-api', but there is no bundled install that would place code on disk. Because nothing is downloaded or executed by the skill itself, install risk is low — however the guidance about using clawhub and the external plugin should be validated by the user (confirm plugin source and version).
⚠ 凭证需求
The runtime instructions legitimately require two secrets (JRB_API_URL and JRB_API_TOKEN). The skill metadata, however, declares no required env vars or primary credential. README also recommends storing multiple tokens in a .credentials file, which increases the places secrets may live. The absence of declared credential requirements in the registry is a proportionality/documentation mismatch and raises the risk of unexpected credential access by the agent.
✓ 持久化与权限
The skill does not request always:true, does not include an install that writes persistent binaries, and does not claim to modify other skills or system-wide settings. Agent autonomous invocation is enabled by default but not unusual; nothing in the skill requests elevated persistent privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/27
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install jrb-remote-site-api-skill-repo
镜像加速npx clawhub@latest install jrb-remote-site-api-skill-repo --registry https://cn.longxiaskill.com