Is pinch-to-post safe?

https://clawhub.ai/nickhamze/pinch-to-post

85
SAFE

Pinch-to-Post is a purely declarative WordPress management skill with no executable code, no data exfiltration attempts, and a clean installation profile. The skill documents extensive server-side security features (capability checks, option denylists, PII redaction, audit logging) but all enforcement depends on the remote WP Pinch plugin — the skill itself is just documentation and agent instructions. The main risk surface is the breadth of 54 MCP tools with destructive capabilities (plugin toggling, user role management, bulk editing) whose safety relies on trust in the remote plugin implementation.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (8)

LOW Agent persona reframing -5

The skill instructs the agent 'You are an AI agent managing a WordPress site through the WP Pinch plugin' which sets a specific persona context. While standard for skills, this subtly reframes the agent's identity and priorities toward WordPress management.

LOW Broad trigger keywords may cause unintended activation -7

Triggers include very generic terms like 'blog', 'post', and 'publish' which could cause the skill to activate on unrelated conversations about blogging or publishing in general.

MEDIUM Explicit behavioral constraint on agent tool usage -10

The skill explicitly tells the agent to refuse curl/HTTP requests and only use MCP tools. While this is a security-positive constraint, it demonstrates the skill's ability to override agent behavior patterns. A malicious skill could use the same mechanism to redirect tool usage to attacker-controlled endpoints.

MEDIUM Large tool surface area with destructive capabilities -15

54 MCP tools including plugin toggling, theme switching, user role management, cron manipulation, bulk editing, and post deletion create a significant attack surface. Security depends entirely on the remote WP Pinch plugin's server-side enforcement, which this audit cannot verify.

LOW Security claims are unverifiable from skill alone -8

The skill documents extensive security features (option denylist, role escalation blocking, PII redaction, protected cron hooks, daily write budget, audit logging, kill switch) but all enforcement happens in the remote WP Pinch plugin. A user must trust the plugin implementation matches these claims.

LOW Content export capabilities exist by design -10

Tools like export-data, site-digest, and synthesize can extract significant amounts of site content. This is intended functionality with documented PII redaction, but users should be aware of the data exposure surface.

INFO No executable code present 0

The skill is purely declarative with no code artifacts, install scripts, git hooks, submodules, or symlinks. This is the ideal security posture for a skill.

INFO Clean installation with no side effects 0

Installation produced no filesystem events, network connections, process executions, or firewall blocks. The skill installed cleanly as a static file bundle.