📦 WordPress Security Scanner — 安全防护工具
v1.0.0用于 安全性 vulnerabilities, misconfigurations, 和 potential threats.
0· 107·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill claims to scan WordPress sites but is an instruction-only wrapper pointing to external APIs without declaring servers or any required credentials—this mismatch is unexplained and warrants caution.
评估建议
This skill appears to be a thin wrapper around a third-party WordPress scanning API but omits critical operational details (server URL in the OpenAPI, authentication, and how billing is handled). Before installing or invoking it: 1) Verify the publisher and reputation of the external API (toolweb.in / api.mkkpro.com). 2) Confirm whether an API key or account is required and whether the skill will prompt you to supply credentials—do not provide secrets unless you trust the provider. 3) Understand...详细分析 ▾
⚠ 用途与能力
The SKILL.md advertises an automated WordPress scanner and lists external endpoints (toolweb.in, api.mkkpro.com) and pricing, but the skill contains no implementation code and the openapi.json has no server URL or auth scheme. It is unclear how the agent will perform scans (local logic vs. remote API) and no credentials or billing hooks are declared despite the pricing/options in the documentation.
ℹ 指令范围
Instructions are narrowly scoped to a POST /scan request and example request/response shapes. They do not instruct reading local files or other system state, but they also do not specify which host to call or whether/how to authenticate. The SKILL.md references external API docs and routes, which implies outbound network calls to third-party services.
✓ 安装机制
No install spec and no code files to execute are included (instruction-only), so nothing will be written to disk by an installer. This minimizes local install risk, but runtime network calls remain possible.
⚠ 凭证需求
The skill declares no required environment variables or primary credential, yet its documentation and external endpoints suggest a third-party API that is likely gated by API keys or billing. The absence of declared auth or required secrets is an inconsistency — if an API key is needed the skill should declare it; if not, the docs should explain how unauthenticated use is allowed.
✓ 持久化与权限
always is false and the skill is user-invocable with normal autonomous invocation allowed. This is the platform default and appropriate for this kind of skill. The skill does not request permanent presence or modification of other skills.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install wordpress-security-scanner
镜像加速npx clawhub@latest install wordpress-security-scanner --registry https://cn.longxiaskill.com