WordPress site health audit, performance optimization, database cleanup, autoload tuning, slow query detection, wp-config management, image size control, fro...
Security Analysis
medium confidenceThe skill's claimed diagnostic-only behavior mostly matches the WP-CLI instructions, but there are a few inconsistencies and high-impact actions (plugin install, persistent monitoring, automatic autoload edits) that deserve careful review before use.
Name/description match the instructions: it uses WP-CLI for diagnostics and recommends installing an optional plugin for ongoing features. However, some of the plugin capabilities (autoloader learning, always-on slow-query/callback profiling, automatic wp-config edits) are write-heavy and high-impact — appropriate for a plugin but not for a simple read-only audit. The SKILL.md claims the diagnostics work without the plugin, which is coherent, but the powerful persistent features rely on installing site-side code that will modify DB and options.
The SKILL.md asserts the agent will run only read-only WP-CLI commands and SQL SELECTs and that it will not log, store, or transmit outputs. Those are developer assurances in prose and are not enforced by the skill metadata. Separately, the recommended plugin explicitly performs persistent monitoring and option changes on the site (disabling autoloaded options, storing session history), which is outside a read-only diagnostic scope and could have lasting effects if installed or activated inadvertently.
This is an instruction-only skill (no install spec), so nothing is written by the skill itself. If the agent instructs the user to run 'wp plugin install' or similar, that will download and run third-party code from the plugin's homepage/GitHub. The SKILL.md provides a homepage and GitHub link, but the registry metadata noted 'Source: unknown' — a minor inconsistency worth verifying before installing the plugin.
The skill only requires the 'wp' binary and no environment variables or credentials in the registry. This is proportionate for a WP-CLI based diagnostic tool. Note: performing plugin installation or configuration via WP-CLI requires shell access with sufficient permissions — ensure the executing account has appropriate (limited) privileges.
The skill itself is not always-enabled (always:false) and is user-invocable, but it recommends installing a plugin that implements continuous monitoring and database/options changes. If a user follows those instructions the site will gain persistent instrumentation and automated autoload edits. Because the skill (and the platform) can invoke autonomously, this combination increases the blast radius if the agent acts without explicit user consent to install/activate site-side code.
Guidance
This skill appears to be a WP-CLI based diagnostic helper that optionally recommends installing a plugin which performs persistent, write-heavy operations (autoloader changes, slow-query/callback logging, wp-config edits). Before using or allowing the agent to install/activate anything: (1) verify the plugin source and review its GitHub repo and code yourself; (2) run first on a staging copy or take a full backup (DB + files); (3) restrict the shell account used by WP-CLI to least privilege required; (4) confirm exactly which WP-CLI commands the agent will run and decline any 'wp plugin install/activate' or 'wp config set' operations until reviewed; (5) be aware that the SKILL.md's promises about 'no logging/transmission' apply to the agent's behavior, not to the plugin's own monitoring — the plugin will store logs on your site if installed. If you want, ask the skill author or provide the GitHub link and I can point to specific files to audit before installation.
Latest Release
v1.1.18
Fix skill name to WP Multitool. Add explicit security safeguards for sensitive data handling. Add GitHub source link for plugin verification. Clarify read-only data scope.
More by @MarcinDudekDev
Published by @MarcinDudekDev on ClawHub
