wordpress-content

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This prompt includes examples that build and embed Basic auth credentials on the command line (echo -n "username:password" | base64 and curl -H "Authorization: Basic $AUTH"), which requires handling and/or outputting secret values verbatim and is an insecure pattern.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly instructs fetching and ingesting external/public web content (e.g., Step 3 "wp @site media import "https://..."") and creating posts from HTML files (Step 2 "Post from HTML file"), meaning the agent will pull untrusted third‑party content from arbitrary URLs into the workflow and use it as post/media content that can affect subsequent actions.